A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone and welcome to the Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey, Joe.

C

Hi, Dave.

B

And our N2K colleague, Maria Vermazes. Maria.

A

Hi, Dave. And hi, Joe.

B

Got some good stories to share this week, but first let's get some follow up. Joe, what do you got?

C

Well, it's a stupid chicken story.

A

Next.

C

I have some stupid chickens.

B

Oh, is there any other kind?

C

Yeah, that's a good question. Nobody has ever accused a chicken of being smart. So, you know, I, I, I, I bought this coupe and then I got the coop, had a little run on the front of it, and that run does not meet the needs of the chickens. It would be inhumane to keep them in something that small. So I built a new run, but I thought the coop was adequate. Well, about this time last week, I started going outside, go out every night to check on them, make sure they all got in the door, didn't close and leave them outside. And they're all just sitting on the, on the roof of the old run that sits inside so that they have something to run around and each other from. Right. So they're just sitting there, they're not going inside. So I had to go out there and manually put them all back inside the coop. The upside of this is that it does give me a few minutes to practice Sue's technique.

B

Holding the rooster.

C

Holding the rooster.

B

Invert the rooster. Not a euphemism.

C

Yeah, I don't have to invert him anymore. I pick him up when he's at night and I hold him and tell him he's a good rooster. And I put him in first because I want the hens to follow him because he's the leader. Right. But he's not going in. And because of that, the rest of the hens are not going in. Now, I think it's because my coop might be too small.

B

Okay.

C

So I'm also working on a ventilation solution, but I think what I'm going to be doing is just getting a new coupe.

B

And so it begins.

C

Right. So now I'm in for like another X number of dollars. I mean, I see coops that you can buy, they're like $1,500.

B

Yeah.

C

You know, I don't know if I want to spend that much money on a Coupe. When I can build a coupe for probably $400.

B

Okay, but how crafty do you consider yourself?

C

I built the run with no problem.

B

Okay, I mean, good.

C

Not with no problem, but, I mean, you still have all these fingers. I did. I did break my ankle while doing it.

B

Oh, that's right.

A

You broke your ankle while doing that. I have.

C

I have this old injury from college. I'd like to tell you it was a football injury or some masked old pogo stick accident. Right, it was an old pogo stick accident.

A

What were you doing with that pogo stick?

C

It did involve some heavy metal, and it did involve somebody that was like 6 foot 8 and weighed 500 pounds. The guy was huge.

A

So the mosh pit is what I'm understanding.

C

Yes. The mosh pit that I had in my living room.

B

Very nice.

C

Anyway, that has resulted. That injury has resulted in a teardrop shape of bone at the end of my tibia that kind of hangs into the. Into the, you know, the natural working of your ankle. You know, like your ankle can move side to side. Well, if my ankle moves too far side to side, it'll snap this piece of bone off. Now, this piece of bone is useless, okay? So all it does is hurt.

B

So, anywho.

C

Yeah. So anyway, I did hurt myself, so now I gotta. So I may just wind up buying the thing so I don't have to tell Maria another horrific story.

A

Yeah, Just like I'm imagining you breaking your ankle making a chicken run, and I'm thinking you just tried to run on the chicken rung.

B

Maybe we can take up a collection for you, Joe.

C

It was a. It was the most old man of injuries. I. I did this standing up.

A

Not sneezing. Getting off the couch a little too

C

fast, just standing up. It was terrible.

A

Turning your neck just so. I'm laughing because I've done all of those things. So. It's fine. It's fine.

B

Here's what crossed my mind. Maybe. Is it possible, or have you checked that the chickens don't want to go inside the chicken coop because there's something in there?

C

Oh, yeah. There's nothing in there.

B

Well, do you check. I mean, stick your head in there. I do.

C

In fact, last night and for the past two nights, there's.

A

Oh, God, there's a Joe in there.

C

There's one chicken that. Dottie. Dottie is the smart chicken, apparently. Because for the last two nights, when I go out there and open the door, Dottie's inside, and she's just sitting there in one of the nesting boxes. You know, sleeping and this is nice. You get a little solitude in here. But yeah, the other ones are not going in. I put some roosting bars in there recently and they. And that. It takes up more space than I thought it would. I think I just need to build a big.

B

What happens if you don't put them in there? Don't they eventually go in or.

C

No, the door closes at 9:30 right now.

B

Oh, I see.

C

Which is probably the latest. I'll have to set it around here because by that time they should be in the coop, but they're not. I mean, you know, I get my headlamp on because I have those rechargeable LED headlamps, which are great.

A

And.

C

And I look out and I see a bunch of eyeshine of these little feathered idiots sitting on top of this, perching on top of this thing, looking at me like, hey, what's that? Is that Joe? I wonder if he has treats.

B

Joe. Yeah, that's all right.

C

So for the past week and a half, I've been just going out there and putting them back into the coop.

B

Sue, if you're listening.

C

Yeah, I think I just need a bigger coop. I keep the coop clean.

B

I'm seeing if sue, who is clearly an experienced chicken raiser.

C

Chicken farmer. Chicken farmer, yeah.

B

Right. Like perhaps, you know, they have a solution to this, much like they had for the rooster. So maybe there's something, just a little bit of wisdom that you need to know how to condition your chickens to automatically go in the coop on their own.

C

I could do that. I could probably also go to some Facebook group, but, God, you go to a Facebook group and you ask a question and it just spirals out of control almost instantaneously.

B

Yeah. All right, I'll tell you what. Let's take a quick break to hear from our sponsors and when we come back, we will get into our stories. Every attacker counts on one thing. Environments that trust too much. Threat locker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing configurations verified with ThreatLocker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K. And we are back. I'm gonna kick things off for us this week and I am going to talk about sugar baby scams.

C

What is a sugar baby scam? Are those little candies that come like the same thing? From the same company, Sugar Daddies.

B

Yeah, yeah, yeah. You know, there was a Broadway show called Sugar Babies back in the. Around 1980. I actually saw it was Mickey Rooney was starring in it.

C

Wow.

A

Kind of a name I haven't heard in a while.

B

Kind of a vaudeville sort of kind of thing. It was. It was fun. My favorite. Well, not my favorite, but the thing I remember from the show Sugar Babies was Mickey Rooney told a joke to Ann Miller, who's also in the show. So it's, you know, old, old timey people. He said. He said, ann, what's the difference between mashed potatoes and pea soup?

A

Sorry. Your impression of Mickey Rooney is oddly spot on.

B

That's.

A

Sorry. I was not expecting that.

C

I didn't know how good that was because I've not really spent a lot of time watching Mickey Rooney.

B

Yeah. What's the difference between mashed potatoes and pea soup? And she says, I don't know, Andy or Mickey. What is the difference between Andy Rooney. That would be a very different show.

A

The eyebrow quotient just went sky high.

B

And what's the differ between. She says, I don't know. Mickey, what is the difference between mashed potatoes and pea soup? And he says, anybody can mash potatoes.

A

Gross. Gross, but funny. And I'm also gonna tell my kid that one tonight. She's gonna love it.

C

All right, that's pretty good. I'm gonna use that one.

A

That is pretty good.

C

Yeah.

B

Good joke.

A

Quick question. Clarifying question. Are sugar babies the same thing as jelly babies?

C

No, sugar babies are caramel. You ever seen a sugar daddy? That's like a big caramel candy bar and a stick.

B

So many mixed things here.

A

I don't know how to answer that question, to be honest with you.

B

Remember when you were in college and you needed the money?

A

This is not that kind of show. I thought we weren't getting into that. All right, okay. So not jelly babies, because I'm thinking.

B

Dr. No, there is a. So Joe's correct. There is a sugar baby candy that's kind of a chewy caramel thing on a stick, Right? It's on a little One of those awful paper white paper sticks. I believe there's also. What else am I. Oh, Sugar glider. That's what I'm thinking. Oh, yeah.

A

I made the mistake of just Googling this real quick, and I regret everything. Okay, that was so dumb. What am I, new to the Internet? Okay, close that tab immediately.

C

I just closed. Probably the same tab you just closed.

A

Oh, my God. Okay. Yep, yep. Okay. I'm just gonna Take your word for it.

C

I'll follow that up with candies.

B

And. Yeah, very important to your word.

A

I'm an absolute idiot.

B

Okay, this is from the folks at Panda Security, which is a subgroup of the people who work at the National Zoo. I say, in 2025, Americans lost $929 million in relationship and romance fraud. And one of the examples of that are sugar baby scams. So sugar baby scams are a type of romance scam where someone pretends to offer financial support, gifts, or a monthly allowance in exchange for companionship. That's the offer. Of course, the money never comes.

C

Oh.

B

So instead, let's walk through this together. Okay, so let's say, Joe, you're online, you know, going around. Let's make this even better. You're on a dating site.

C

Something terrible has happened to my wife.

B

I was gonna say something that would never happen.

C

Right.

B

But just bear with me here.

C

Okay.

B

You're on a dating site.

C

Yep.

B

And suddenly you get a message from a beautiful woman half your age.

C

Right. Already I'm suspicious.

B

Right, Right. And she claims to be a wealthy professional who wants a simple arrangement. In exchange for emotional support from you and your good conversation, she is going to send you money.

C

Okay. Wow, I'm in.

A

What could possibly go wrong?

B

Right? Right.

C

Here's my bitcoin address.

B

Yeah. So a lot of times what'll happen is they will send you a dm, promising you easy money for conversation or online companionship, and then they'll demonstrate proof of payment. So they'll try to prove that they're real. They'll either send you a check through email, or they'll transfer money using, like, Zelle or Cash app or one of those. And the payment appeal appears real at first. But usually it's sent from either a stolen account or the check is fake. And then the scammer asks you to send part of that money back as a sign of good faith.

C

Right. So this is very similar to the check floating scams.

B

Pretty much exactly the same, just with a little helping of sexual titillation.

C

Right. A sprinkling of romance scam thrown in.

B

Right, exactly.

A

But somehow even more implausible than the previous version.

C

Right. Like the fake job offers where you have to go out and buy your own equipment.

B

Right, Right. So this per. So let's, for example, this person who's contacted you, Joe, they send you $200 via Zelle and they say, hey, just so that we're good with each other, just send me $50 back using a gift card. Right. Once you go to the store, buy a $50 gift card. This is just how we can demonstrate that we trust each other.

C

Right.

B

So you go to the store, you get the $50 gift card.

C

Well, I say, hold on. We're gonna do this in a couple of days, right? I mean, we're gonna do the. I need to make sure this transaction totally clears before I go buying any gift cards and giving you any money back. So let's just wait a couple days. Thanks for the $200. I immediately withdraw, close all my bank accounts, and walk away.

B

Okay.

C

I'm kidding.

A

Yeah, I was gonna say closing your bank account. I mean, the Pope just tried doing that and he didn't have much luck.

C

Have you?

B

That's right. That's right.

C

I missed that.

A

It's always easy and quick.

C

Yeah.

B

The Pope tried to call his bank, and they hung up on him. Cause they figured it was a joke. Yeah, sure.

A

And to be fair, they were doing their job. Like, they can't win. Right, Right.

C

Whenever I wanna do a Pope impression, I wanna put an Italian accent on, But I can't do that anymore. Cause the Pope has an American accent.

A

Got a chic.

C

I want to log into my bank.

B

You want to do like, Father Guido Sarducci, right?

C

Exactly. That's where I got.

B

Yeah. Okay.

A

We're going to get so many angry emails. I'm sorry.

B

So eventually what happens is the original payment that they sent you. So in this case, the $200 gets flagged as fraud.

C

Right.

B

It gets reversed. So it gets sucked out of the system. So it gets sucked out of your account, Joe.

C

Yep.

B

You're out the $50 gift card money that you sent back.

C

Yep.

B

And that's how it goes. That's.

C

Then there I am. Sad that I've lost $50.

B

That's right.

C

And that I don't have $200.

B

That's right.

C

And that this woman really didn't want me for my companionship.

B

That's right.

C

My heart is broken.

B

Yes. So it's insult and injury.

C

Yes.

B

Yeah.

A

But to quote a great philosopher of our time, Joe, your heart will go on.

B

That's right. So they have some tips here, too.

A

Can't get the reference.

B

Nope.

C

That's the. The Titanic theme.

B

Yeah.

A

Oh, there we go.

B

Clustering you and Lisa at the bow of the Titanic. Except it's your arms that are spread wide, Joe.

A

If the silence was going on.

C

She is not picking my fat butt up. That's just not happening.

B

So they have some tips here. They say, avoid unsolicited communication. If a stranger off contacts, you out of nowhere offering money. That's a sign.

C

Yeah. People generally don't do that.

B

Oh, my God. Generally not flattering messages. Of course, if it's too good to be true, they say look for clearly fake photos, requests for personal information, particularly if they ask for things like banking details or ID photos or passwords.

C

Yes.

B

Trying to get you onto a different site. We always talk about that one.

C

What's the password to your bank account?

B

Right.

A

Yeah. I mean, we would laugh and walk away in real life if this was face to face, but when you're in that tunnel vision when you're online.

C

Yeah. Especially when you're getting hit with a romance scam, these things become very difficult to think your way out of.

A

Yeah. The blinders are really strong. It's quite amazing how that works.

B

Yeah. So, again, I think the bottom line here is, you know, I have a link to this story in the show notes, and I think this is one of those good ones to send around to your friends and family, particularly perhaps the older folks in your life who would be more likely targeted by something like this. So send it around, ask people to read it, and hopefully you'll help inoculate them against this particular scam.

C

Yeah. This reminds me of something I saw on TV back in the 80s. It was a. I can't remember what the context was, but there was a reporter, man on the street, reporter with a cameraman watching him. He goes, I'm just gonna try to give away $20 right now. He just starts asking people, hey, can I give you this 20 dol. $20 bill? And like, universally, everybody's like, no, get away from me.

B

Right, right. Yeah. That's like when you're walking through the mall and the people with the carts say, hey, can I ask you a question? Like, no, no, no, you may not.

C

Yeah, you can take two steps back and, and be, Be silent. Thank you. That's what you can do.

B

Right?

A

Yeah. But I, I, I've been so When I was on vacation recently, I was thinking about historically that there have been romance scams through correspondences that go back about hundreds of years that we have documentation of. I'm thinking of the necklace scandal that helped bring down the reign of Louis XVI and Marie Antoinette. Like, that was a whole thing. Look into it. Seriously. We could do a whole episode on that. But it's just like before there was social media, people were getting fooled with ladies of the night who looked like the queen and letters that were supposed to be from her, and they bought lots of expensive jewelry. Anyway, it's a whole rabbit hole. It's really fascinating.

C

That is. I will have to look into that.

A

You will be amazed at the parallels to how the scams still work today. With this one, it's actually like, just put it back in time. A romance scam. It's amazing how much things really haven't changed.

B

No. Everybody still just wants to be loved. Yep. Yeah. All right, well, like I said, we'll have a link to that story in the show notes. Maria, what do you got for us this week?

A

Okay, so I'm not getting into Mary Antoinette and Louis XVI today. Some other episode. Some other episode. Happy to get into it some other time.

B

Look forward to that.

C

That story has a happy ending, right?

B

Depends on who you are.

A

I mean, France seems to be doing okay now, so. Yeah, I would say. Yeah. Inevitably, yes. So my story is actually about not France, but a place that is often confused for France. And that place would be Detroit, Right, sure.

B

You get off the plane, you look around. Wait a minute.

A

Or Detroit Noir. So this story is from. Click on Detroit from reporter Lauren Kostyuk, and the headline is awesome. It's called Hacked, Robbed, then banned. Canton Township Business owners meta AI nightmare Now.

B

Dun dun, dun, dun.

A

Now, of course, it's meta, and we love to pile on meta and body, blah, blah. But the hook for this story that I was especially drawn in by was that this is actually about a small business owner. And, Joe, as we've established, I found you on Facebook.

C

Yeah.

A

So I know you're on.

C

Yeah, that was me. By the way, I accepted your friend request.

A

I saw. Thank you.

C

Not an impersonator. I have to go in and check my. Check my. Check my settings because I don't think you should have been. My impression was you should not have been able to find me.

A

I shouldn't have. And yet, anyway, you and I know. And, Dave, you're on Facebook, too. A lot of small business owners, their entire business is done through Facebook, especially town and village and small city Facebook groups and such. So if you've built your business and you're networking through Facebook and something happens to your Facebook account, that is a catastrophic event. So that's sort of what this story hinges on, is a little wrinkle on an account takeover that is actually, again, really, really awful if you're a small business owner. So the hero of our story is a gentleman named Jason Kielman, who has spent 26 years dispensing hearing aids. And he runs a mobile practice in Michigan where he visits patients in their homes, and he recently turned to Facebook ads to grow his business. This is not unusual. A lot of small business owners do stuff like this. And he says that his Facebook business account was recently hacked twice in four days. The attackers logged in from different states. They stole nearly $1,000 in ad funding from his account, and then they triggered a permanent ban of his Facebook business account. So after Jason reported the fraudulent charges and suddenly lost access to his account, he went through the only means he had to try and appeal this permanent ban that for some reason had hit his account, which would be Meta's or Facebook's AI chatbot. There's no human being. There's no phone number he can call. There's no way he can talk to a person.

C

Talk about. This is a new level of nightmare for screaming into the void.

A

Oh, sure, yeah, no, it is.

C

The only thing you have to do is talk to our AI thing, which is probably just set to say, no, no, no.

A

Yeah, it's just a big wall and you're going to scream at it. Exactly that. And he was told to, oh, okay, I can help you. I'm a very friendly AI chatbot. To get your account back, you just need to finish our ID verification process, where, you know, you probably upload a selfie of your. Of yourself, like a video selfie, and then your government ID and they verify that you are who you say you are. He goes through that process, and pretty much instantly the judgment comes down through Meta's AI moderation system that says, we are never going to give you your Facebook business account back. And also, you've been accused of child sexual exploitation violations. So that is why you are perma banned.

B

Right. And now. And that ban is now associated with your actual government ID and your business.

C

Yeah, this sounds like a lawsuit waiting to happen.

A

Yeah. So he's, as you might understand, obviously he didn't do what he's been accused of, just to be clear. And he's understandably, this is an existential crisis for him and his business. So he pays out of pocket, in addition to the money he's already lost from the attackers, for this thing called Meta Verified, which is that $15 check you can get that. You see, some people have to try and actually get a human being to review all this. So again, let's just pause and say the only way to get a human being maybe is to pay for it. That really does not sit right with me at all. But they come back Meta, whether it's a human being or not, I'm not entirely sure. But Meta comes back and says, no, your case is closed. Thank you for your money, but there is no recourse here. So there is a. There is thankfully a happier ending to this. I'll get to this.

C

Okay, good.

A

Yeah, yeah. I don't want to just say, like, that's the end of the story. There is actually an epilogue to this. But in the meantime, the thing about this story that also made me really just gave me some pause was the idea that after the attackers kind of got what they wanted out of him, which was the money that they stole, they essentially salted the earth behind them by apparently they actually had legitimately uploaded csam using his account, really to trigger that ban. Yes, it was done on purpose so he would not be able to recover his account. So they know the attackers know that AI moderation is being used on Meta accounts far and wide.

C

Right.

A

So if they upload legitimate csam, which is horrendous.

C

Right.

A

That obviously it's going to trigger the automated moderation systems and there's no way that anyone's going to be able to get their account back. So it's, yeah, literally salting the earth. Burn it down behind you. Just. Just awful. So in this case, Jason says, you know, he had reputation damage, which is way worse than the thousand dollars that he was out. His business depends on Facebook advertising because again, small town America especially, what other recourse do people have? What, like what, your local newspaper? Where are you going to have a right. Where are you going to advertise? It's Facebook. That permanent moderation label does carry a serious stigma. People are just going to. I mean, I don't know what that looks like, but there's a stigma there. And again, he can't really get through to a human being to get eyes on this, or at least not through any normal means that anyone could do. There was no phone number for him to call. There's no person that he could easily reach. And the appeals process basically just said, no, you're awful for doing csam, we don't want you back. So thankfully, thanks to local news in his case, putting a highlight on this, the happier ending for Jason is he was able to get a lot of his money back through his bank and he also had to actually appeal to his local legislator and he had to bring in essentially the government to try and work with Meta to hear out his case. So he had to kind of go up the chain for his Facebook account to get someone to actually look into this. Which is nuts to me that you just, you can't just Get a customer service person to just look at this so he's not completely out. But the amount of work he's had to try and do just to get somebody to look at this and just see what has clearly gone on is just insane to me. So when this local news story in the Detroit area started reporting on this, they found a number of businesses saying they've been encountering a similar salt the earth kind of attack for their Facebook business accounts. So especially for small businesses that are so dependent on Meta nowadays, which are most of them, I would say the takeaway is to treat your social media account like a key business infrastructure because it is like a bank account. So, of course, strong, unique passwords. Please use a password manager. They're really great. But also get multi factor authentication up and running if you don't already. Maybe have backup administrative accounts in case one of them gets locked out. So just don't have, you know, all your eggs in one basket. But there was also some advice about not using your company's main payment card for also paying for ads on Facebook. Sort of assume that your Facebook account may actually get compromised. So don't have it attached to something that draws money from your main business account. Maybe have a low limit payment card just for ad platforms like Meta.

B

I can reinforce that.

A

Isn't that awful, though, just to be like, yeah, just assume that something bad's gonna happen and make sure they don't have the keys to the kingdom.

B

Well, I had a reverse. The reverse thing happened to me where I was trying to promote an event that was coming up for a nonprofit that I volunteer with. And so as part of that, I was helping them post things, you know, post ads for this fundraiser. And we thought, oh, let's spend a little money. And so I made the huge mistake of using my personal credit card to try to pay for some ads. Now, you'd think this is the thing that Facebook wants you to most do, right? And Facebook just started hammering my card with inquiries and payments to the point where my bank shut the card down.

A

Wow. Yeah, wow.

B

So I called the bank and they were like, yeah, you gotta come in. You know, so you ain't the Pope.

A

You gotta be here.

B

Yeah, exactly. So I had, you know, so went to the bank, proved I was me, you know, and we got it up and running again. But it was like, okay, well, I'm never doing that again. You know, I'm gonna get some, I don't know, burner card or something to use on Facebook because.

A

Yep.

B

Yeah, sorry, Marie, I didn't mean to hijack. No, it's story there.

A

No, it's, it's, it's, it's. I never would have thought that that would be necessary. I, I think for all of its problems, given how big Meta is, I would never have thought that that kind of treat it like it's essentially, you gotta put it in this walled garden. You gotta treat it like it is going to scam you. That's just so surreal to me that that is the, the best option for something like that.

B

Like, I just, it is a bad neighborhood. Right. It's like going to 1970s Times Square.

A

Yeah. Roll up your windows, lock your car doors and don't really fully stop at an intersection, just roll through. And if someone starts walking close, you

B

start speedo money in your shoe.

A

It's just, I just can't believe, and yet that this is the situation we are in with Meta for, with, with businesses in this case. Anyway, the good thing is that Jason also, to help himself out, smartly documented absolutely everything that he was going through. So again, he went through his state legislator to try and get eyes on this with Meta. And I want to correct something I said earlier. He has access back to his personal Facebook account. His business account is still locked as of time of this recording. So I just wanted to double check that. I said, wait, did he get everything back? No, he's, he's. His Facebook personal account is back, but his business account is still inaccessible, again for something that he did not do, which is just awful. So work with your bank or a card issuer, certainly file a report with local police. If this happens to you, potentially you can report it also to the FBI, but apparently when Meta's not paying attention to you, you have to go up the chain with your legislators and try and get someone to pay attention to you. I cannot believe this.

B

I wonder, if he was in Europe, could he invoke gdpr and if so, boy, it's a shame we don't have GDPR or any meaningful privacy legislation. Right, or anything. There's no federal privacy legislation.

A

Essentially, you have to prostrate yourself at the foot of your state senators or something and hope that one of them cares enough to help. How is that the state of things? It's just bizarre.

B

No, no, I've said it before, I'll say it again. The companies like Facebook, they no longer operate at a human scale. And so you are just churned to them. And if something like this pops up, you're not worth their time. Your little local business is not worth their Time. So they just send you on your way and wish you well. And that's tragic.

A

Yeah. Act appropriately, small businesses. So treat. Treat that like the radioactive situation that it is.

B

I mean, it's a shame because, you know, you say don't put all your eggs in one basket, but there's no other basket.

A

No, it's true.

C

No.

A

Yeah.

B

Yeah. So. All right, well, we will have a link to that story in the show notes. Let's take a quick break here to hear from our show sponsor. We will be right back after this. Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. And we are back. Joe, you're up. What do you got for us this week, Dave?

C

My story comes from Regina Mobley at wavy, which is in Newport News, Virginia.

B

The Wave.

C

The Wave. Wavy. Wavy, yes.

B

Wavy. It sounds like a. Definitely sounds like a beachy.

C

Yeah.

B

Radio station.

C

Yeah. Like one of the ones you listen to in Ocean City when you're down there.

B

Exactly. You're tuned to 107 the wave. Right. And there's a sound of egg.

C

Yeah.

A

Yeah.

C

All right. Well, this is not a happy story.

A

I was gonna say I'm on the beach right now flying a kite. All right. No.

B

Okay.

A

I'm not there anymore.

C

They talk about this woman named Christine. I'm just gonna refer to her as Christine. Her full name is in the article. But she has growing family, four dogs, three kids, and a fiance, and they're looking for a new house. So she goes onto Facebook Marketplace, which is a mistake because it's all essentially scams on there. Well, that's not true. I buy things on Facebook Marketplace from time to time, but I always do cash in person. Right.

A

Yeah. People selling. Like, I was looking for a bench earlier today. I mean, I don't think Those are scams on Facebook, but I'll find out when I show up.

C

But when you put something on Facebook, even if it's free, you get a whole mess of just crap, you know? And it's just a terrible experience all around. Anyway, this person identified themselves as a landlord. This guy, Steve Arthur Jr. And that is probably a compromised account. So this is probably not the real guy's name. The initial connection was a red flag because Christine said the very first time he calls he facetimes. And she didn't answer because she thought it was weird. But Arthur then says, hey, this is a rent to own property. Right. Which is. I don't know. That already sounds kind of scammy to me. I mean, even when people are doing rent to own, I mean, have you ever heard of that? Where it ends up with the person owning the house?

B

No. I mean, mostly what happens is you have a rental with an option to buy, right? Yeah.

C

And sometimes they say they're gonna take some of the money and put it into escrow for a down payment, correct? Yeah, correct. I've never seen that.

B

But not in this market, right?

A

Yeah, I haven't. That always, to me, was told, like, hey, that's not really real. I mean, I would love to know if that actually has ever happened, but I've never heard of that being a real thing.

B

It has. My father was a career realtor, and so I do remember that being a real thing, but I'm also could very well be remembering back to the 1980s when interest rates were at 18%, so people were doing whatever they could do. So, Yep, Yep, yep, yep. So I think you're both right.

C

So Arthur says, this is a rent to own property, and to secure the deal, I need the first month's rent, which is approximately $1,350, and I need a security deposit of also $1,350. So the family wires Arthur $1,400 and gets to work on getting the rest of the money together. And then Arthur says, you guys are cleared to move in. And they say, great. How do we get into the house? And Arthur says, I hereby give you permission to break the lockbox and take the key out of the house to open the house up. Go ahead and move in.

B

I'm gonna send you a free crowbar, right?

A

Yeah, just throw that rock through the window. Don't worry about it.

C

The fiance goes, we're not doing that. Right. So then the legitimate property management company, Atlantic Coast Realty, sends her an email with the code on it to open the lockbox. And we're gonna get to how that happened here in a minute. So they go and they open the lockbox and they actually move into the house. And the next morning when they wake up, they wake up to people knocking on the door. And they're like, you can't. What are you doing? And they're like, the renter told, or the owner told us, we could move in. This is a rent to own property. And they're like, no. Did you sign a lease? You can't, you can't. You can't be here. You get. You have to go. So they are now homeless. They had to get a U haul to get all their stuff out of the other place. It's. It's still in there. They're technically, they're living in a shed, reportedly living in a shed, which is horrific. But Atlantic Coast Realty said, you know, responded to this news article and this is their statement. I'll just read it, and that's going to go swimmingly, I'm sure. We are deeply saddened by the perspective that a prospective tenant appears to have been the victim of an online rental scam involving unauthorized third parties. The individual scheduled a property viewing through tenant tuner, plat through the tenant tuner platform at our property and has the address. As part of the showing process, prospective tenants are provided written instructions warning them not to send money to third parties and advising them to independently verify any payment requests before transmitting funds. Unfortunately, it appears a bad actor manipulated the prospective tenant into sending the payments via Bitcoin and cash app to unauthorized individuals unrelated to our office. So they also go on to say, we never take Bitcoin or cash app and we fully sympathize with, with the, with the victims here. So this is what happened. This guy, after they said, no, we're not breaking the lockbox open and moving in. That's ridiculous. This guy goes, oh, okay, let me, let me see if I can find a workaround. And he just calls the department, the rental company, and says, hey, I want to go in and look at the house. Can you send me, send me a code for. Or send a code to me, and gives them Christine's email address. So Christine gets the email address from the property management company and gets instructions on how to open the lockbox. So here's my question on this. Why go through all that trouble once you have the money? Once you have the money, why do you go through the trouble of telling people, yeah, sure, break the lockbox? Or if they. Why not just ghost Them at that point.

A

Cuz crime is fun.

C

I mean, but what is the gain here?

B

Maybe the only thing I can think of is time that if. So, let's say they moved in and it was a week before anybody noticed.

C

Right?

B

Right. Which is plausible.

C

Yes.

B

That buys the bad guy time to

C

get the money out.

B

Yeah, time to whatever get out of Dodge, launder it, whatever. Cover their tracks.

A

They get arrested for breaking into a place they're not gonna be able to go after him if they're in jail.

C

Right? Yeah. So I don't think this guy is probably local, he's probably international because he just compromised a Facebook account. Looked around a geographical area, found some ways to exploit something, put it all together, because everything you need to do this scam is on the Internet. And then had this family wire him or send him, including some in bitcoin. They're never getting that back. First off, the FBI is not going after $1,400 in Bitcoin, which is, you know, if you lose a big amount of bitcoin, they might help you. But $1,400? No, they're not gonna. They're not gonna do that.

A

What's the cutoff? 10K?

C

I don't know. I think it's hundreds of thousands. That's a good question.

B

I don't know. Next time I'm talking to somebody from the FBI, I'll ask them.

A

Yeah. I'm curious. What is the point at which they then need to get involved? And below that it's small potatoes. Cause that's. How is that determination made?

C

You know, it's all a matter of resource allocation. They don't have an infinite amount of resources. They can't go after every single small case. And the thing is, the criminals know that. Right. So they scale up their small scale operations by keeping by. Instead of doing one big heist, they do hundreds of little heists.

A

Yes. Distributed compute on everything.

C

Right, Exactly.

B

Yeah. Nuisance. It's a nuisance.

C

Right.

A

Fitted nuisance.

B

So what's the advice here, Joe?

C

Never send money to anybody for anything with Cash App or. I mean, not. Never say anything. It's terrible advice. But number one, legitimate services like property managers and rental agreements are not going to ask for money in bitcoin. I have heard stories of people who pay their rent via Venmo. I know somebody that does that and.

B

Yep.

C

But they signed a lease. You know, you don't. You can't take custody of a property until you sign a lease. So that's another red flag that should have gone up it doesn't seem like these folks signed a lease. Maybe they did. Maybe that's just not reported on in here, you know, because you can just go out and get a generic lease agreement online.

B

Right. Send them a PDF.

C

Yeah, send them a PDF. Say, sign this and send it back. We're all good. Go ahead, break the lockbox and move in.

B

Right.

A

So if they don't. If he. If he or she is the landlord and they don't walk up with a key and open the door for you and show you around. I don't know.

B

I wouldn't. Right. No, that's.

A

I recognize there are times you can't, but really, you need to have someone actually walk you around in it as much as possible.

B

Right, Right. I would even say if you're meeting someone at a place like this, to ask to see their ID before they show you around.

C

Yeah. Make sure you don't wind up in the basement of that rental property in pickle jars or something.

B

Yeah, yeah, no, it is. It has happened. All right, well, so I guess they're. They're out of the. What is it, $2,600 or so?

C

Well, I think they only lost, like, 1400.

B

Okay.

C

So, I mean, but still, they're. They. They don't have a place to live. That's more importantly, they. They moved out of their old place. Right. So they can't go back. Where do they go? Yeah, terrible.

B

No, it is terrible. And just the emotional toll as well. All right, well, we will have a link to that story in our show notes, and of course, we would love to hear from you. If there's something you'd like us to consider for the show, please email us. It's hackinghumans2k.com. All right, Joe, Maria, it is time for our catch of the.

C

Dave, our catch of the day comes from our favorite. One of our favorites, the Scambait Subreddit R. Scambait.

A

Oh, yeah, I see. This one involves a Bostonian. Can I. Can I please be the Bostonian?

B

Yes, you may. I was counting on it.

A

Yeah. All right, so let me drop my ass.

B

I will be the. I'll be the scammer, and, Maria, you can be the not so hapless victim. It starts out like this. I'll be in Boston for an investment meeting. How about sailing out of Boston harbor for a bit?

A

Sure. We can take my boat.

B

That sounds so interesting. However, I probably won't get there until next month, so. Amanda, will you have time then?

A

This isn't Amanda, it's Jake.

B

That's terrible. It seems I mixed up the numbers. I always thought it was my friend Amanda's number. I'm so sorry, Jake. It sounds like you sail quite often. Do you mainly go out to sea for fishing or just to relax?

A

Mostly just to relax. It's an 80 foot boat. That's a yacht. FYI. That is a yacht.

C

It's bigger than Bezos boat or one of his yachts, isn't it?

A

No, no, it's not bigger than Bezos, but it's bigger than his support.

B

Yeah, it sounds like your previous job cost you the means to enjoy life. I also go to sea to enjoy life. My boat is currently docked in San Francisco Bay, but I haven't been there in a long time. Since you go out to sea so often, I'm sure you have many places to recommend. As for your invitation, if we become friends, I wouldn't mind taking a ride on your boat. Ha.

A

Well, that sounds wonderful. My boat just got out of dry dock. I'm upgrading the electrical on my boat. Gonna cost me 500. Full entertainment system, new LED lighting, and the latest up dog components.

B

It's really great.

C

The latest Sup Dog components.

B

Just wait for it, Joe. Just wait for it, Joe.

C

I know where this is going.

B

It's really great. Although I lost Amanda's number, I met a kind, polite and enthusiastic Bostonian.

C

So rare.

A

Okay, I'm back.

B

Perhaps we could exchange contact information later to stay in touch. I'd like to ask you for some travel advice about Boston. It sounds like you love your boat. My boats are all managed by my personal assistants. So it sounds like you're definitely a captain. By the way, I misspelled a word earlier because my native language is Mandarin. What I'm trying to say is that your previous job seems to have provided you with enough financial resources to enjoy life now.

C

Ah. So see, he's going back and correcting something he said earlier.

B

Right.

C

That didn't make sense.

B

Nonsensical.

A

Yeah, yeah, sure. Tell me about your boat. Do you have it equipped with Sup Dog?

B

What is this? I've never heard of it before.

A

What? What's what?

B

I don't know much about yachts. I just bought one for business purposes. I also occasionally go out to sea by myself. Going to sea is one of my many hobbies. Sup Dog? What is this?

A

Not much. What's up with you?

B

There it is.

A

What? You have it equipped with Sub Dog.

B

I recently traveled to Phoenix and just got back to la.

C

Totally misses the joke.

B

Yeah. By the way, from our brief Conversation. I feel that we are about the same age. I'm 43 years old this year. If you don't mind me asking, how old are you? And that's where it ends.

C

That's the end of it. That guy just stuck it out for the. For the. Sup, dog?

B

Yeah, no, it's good.

C

I actually got one of my co workers with that once. I won't name him because I don't want to shame him, but I walked over to his cubicle and I said, does this smell like updog over here? And he goes, what's up, dog? And I'm like, ah, nothing.

B

What's up with you?

C

As soon as I did it, you saw his face go, oh, no, no. Well, and I tried to get in the next day with hopping on. I said, I saw a hopping on out here. What's a hopping on?

B

Nothing.

C

What's a hopping on with you?

B

Well, as a BofA victim, I have great empathy for your co worker, Joe.

C

Yes.

A

We're still friends, ladies and gentlemen. That's what we call a callback.

C

We're still friends.

B

You know, you're no longer. I was gonna say roommates. Office mates with Michelle. Right?

C

No, we are not.

B

Okay. Was that at her request?

C

No, no, that was not. It was. Neither one of us asked for that. Okay.

B

Or maybe that was. Was it like, the elementary school teacher who thought it best to separate the two of you?

C

Could have been.

B

There's too much laughter coming out of that office.

C

There was. Well, now there's a lot of talking coming out of my office.

B

Okay.

C

Because now there's two doctors in my office, and I'm the only guy without a. Without a doctorate degree.

B

Oh, I see. So they talk down to you all the time.

C

No, actually, these guys are great. I like them. Good.

B

All right, well, that is our catch of the day. We will have a link to that as well in the show. Notes. Most environments trust too much and attackers know it. Threat Locker enforces default deny at execution blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K. And that is hacking humans, brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast. Appreciate. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Maria Supdog Varmontis.

C

You do Soft Dog, but you wouldn't do BofA with me.

A

I draw the line at BofA.

B

Well, you're both of my friends. Thanks for listening.