Nice to meet you, I'm a scammer.

Maria Varmazes

You're listening to the Cyberwire Network, powered by N2K.

Dave Buettner

Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and. And taking a heavy toll on organizations around the world. I'm Dave Buettner, and joining me is Joe Kerrigan. Hey, Joe.

Joe Kerrigan

Hi, Dave.

Dave Buettner

And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazes. Hey, Maria.

Maria Varmazes

Hey, Dave. And hey, Joe.

Dave Buettner

We've got some good stories to share this week, and we will be right back after this message from our sponsor. And now a few thoughts from our sponsors. At ThreatLocker, the tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allow listing and ring fencing has your back. All right, before we get to our stories, we have a couple items of follow up here. What do we got, Joe?

Joe Kerrigan

Dave, Ricky wrote in and commented on the fact that I kind of offhandedly said diamonds are a scam in one of our last episodes. Yeah, and I still stand by that. I think they are a scam.

Dave Buettner

I'm with you.

Maria Varmazes

I'm with you on that.

Dave Buettner

And I'm not saying so. I have a reason to not buy them from my wife.

Joe Kerrigan

Right. Here's a discussion I'd like to hear you guys ponder. Diamonds are the original cryptocurrency, production and value are almost entirely based on mining difficulties used in illicit activities. And they are both tracked, allegedly by ledgers of sorts. They are oft used for anonymous. Anonymously conducting transactions. So that's an interesting. An interesting observation and an interesting assertion. The only difference is that that diamonds are not as fungible as a cryptocurrency like a bitcoin or a. Whatever. Ethereum token. Yeah, they are very different. Each one is different. Each one can be mapped to and fingerprinted. They can be engraved with identifiers, although you can just sand those identifiers off, I guess.

Dave Buettner

But you physically have to. It's a physical item.

Joe Kerrigan

Right.

Dave Buettner

Whereas crypto is not. It is not.

Joe Kerrigan

Right.

Dave Buettner

You couldn't. It would be. Let's. If we only had diamonds. The whole ransomware thing wouldn't be if. Wouldn't be what it is if it were diamond based.

Joe Kerrigan

Right.

Maria Varmazes

Watch out, 2025.

Dave Buettner

What's that, Maria?

Maria Varmazes

Maybe that'll happen in 2025. We see ransomware. Diamond based ransomware.

Joe Kerrigan

Right. Because we're seeing gold bar based things.

Maria Varmazes

Why not? Let's bring it all.

Joe Kerrigan

Why not? Diamonds, right?

Maria Varmazes

Yeah, right.

Dave Buettner

No, that's interesting. I think Ricky makes some interesting points here.

Joe Kerrigan

Yeah, I agree.

Dave Buettner

I mean, the fact that it is based on mining. I have heard, and I think this goes to your point, Joe, that diamonds really aren't very rare.

Joe Kerrigan

Yes, they're not.

Dave Buettner

And it's. What is it? The De Beers company who makes them rare?

Joe Kerrigan

They keep them. They keep the supply controlled.

Dave Buettner

Yes, yes.

Joe Kerrigan

So it rains diamonds on Jupiter, actually.

Dave Buettner

Is that right?

Joe Kerrigan

Yes.

Dave Buettner

Okay.

Joe Kerrigan

Pressures are great enough that carbon forms into diamonds in the rain. Of course, those pressures are so high we can't get in there and collect the diamonds. I don't know how we ever would. But the theory is that it rains diamonds on Jupiter.

Dave Buettner

Huh. Okay, that's interesting.

Joe Kerrigan

Yeah.

Dave Buettner

Yeah. So I think this is an interesting idea. I think Ricky's onto something here. So thank you for sending it in. That's. I'll be thinking about that for a little bit. Right. All right. What else do we have, Joe?

Joe Kerrigan

Dave, we have another one. I'd like you to read this one because I have a response to this one. This is actually directed another one of my comments.

Dave Buettner

Okay.

Joe Kerrigan

Apparently people don't like my stupid comments.

Dave Buettner

They just like your smart comments, Joe, not your stupid ones.

Joe Kerrigan

Oh, I make a lot of smart comments too, if you get my point.

Dave Buettner

Unfortunately, it's up to them to decide which is which.

Joe Kerrigan

Right.

Dave Buettner

All right, it goes. Hey, guys and Maria, just a bit of feedback for Joe for a comment he made regarding Yubikeys for organizations. He said something to the effect that each new hire should be issued two keys, about US$90 when starting with the company. While I like the idea of issuing Yubikeys, two per employee is overkill. We rolled out Yubikeys for a client and you can include management tools that integrate with Active Directory. Only requires one per employee and a couple of spares for the administrators. Yes, it requires some upfront work to set up the integration with ad. I guess it's Active Directory.

Joe Kerrigan

Active Directory, yeah.

Dave Buettner

But once it's in place, we help the client roll this out and it works like a charm. It even works as the two FA for the staff until they or when they VPN in from home. Further, the client issued NFC keys to each employee when they rolled out Ubiquiti door locks. The Yubikeys doubled as their pass cards to get by the electronic locks. That's fun.

Joe Kerrigan

Yep.

Dave Buettner

This Works as a great incentive not to lose your Yubikey. This is lovely. Put it on. Your little Maria brings a long overdue source of calm to help keep Joe from going too far down a rabbit hole.

Maria Varmazes

I've never been described that way in my life, but thank you.

Joe Kerrigan

Yeah.

Dave Buettner

That's what they say every time you enter a room, right, Maria?

Maria Varmazes

Oh, oh, yeah. Me calm.

Dave Buettner

That's. This sense of calm has just come over this room. What happened? Oh, it's Maria.

Maria Varmazes

I'm here. Everything's great.

Dave Buettner

It's the aura of your presence. One thing, though, I do miss interviews that Dave used to do in the second half of the show. What happened to those. That's it. So long. From the Great White North. From Crow Child, Bob.

Joe Kerrigan

Yes, and Bob. So Bob is 100% correct. You do not need to buy two Yubikeys for every employee.

Dave Buettner

Yeah.

Joe Kerrigan

However, I recommend you do. And the reason is this is because this is the way Twitter rolled it out. Twitter bought everybody two Yubikeys and they said, here's two Yubikeys. Start using this on all your Multi Factor Authentication.

Dave Buettner

Right.

Joe Kerrigan

And you're going to have to use it on your Twitter Multi Factor Authentication. This was after that hack where the. The young guy convinced somebody that worked at Twitter that he was calling in from the help desk. And if they'd had Yubikeys, then this would not have happened.

Dave Buettner

Right.

Joe Kerrigan

So the point is that if you're going to equip people with Yubikeys and encourage them to use them in their personal lives. And what happens, like if you're using Yubikey for your Google account or your Facebook account, personal Facebook account, or any of these other accounts, and then you lose it. You lose the Yubikey, you may lose access to your account. Which is the reason I say it's worth the $45 to buy an extra one, even if you're just doing it yourself, is because it will save you the time and hassle of trying to contact these big tech corporations and trying to get them to respond to you, because that is like pulling teeth. It is a terrible experience all around. It is worth the $45 to have two of them. And I think that if you're going to be a company that does this, maybe you want to consider going ahead and getting your employees two of them and encouraging everybody to do it. No, you do not have to do that. And Bob is 100% correct here. You can do it with one and a couple extra spares. And when somebody loses one, you just give them a new one. That's fine. And you can tell them, we don't care about your personal accounts, but that's essentially what you're going to be telling them. Right.

Dave Buettner

I like the idea of two. Now we use them here at N2K. And I was issued two when that happened. Obviously, I like having a backup, knowing myself as I do. But the other thing I think is that this is a measure of convenience for your tech support team, because in this case, if you issue two and somebody loses one, they can still limp along with the backup while you're taking care of replacing the lost one.

Joe Kerrigan

That's right. They don't lose access immediately.

Dave Buettner

Right. And it just makes it less of a important. We must fix this now, because I can't get into my accounts.

Joe Kerrigan

Right.

Dave Buettner

They can still get into their accounts. And you replace the lost one at your leisure.

Joe Kerrigan

And loss is not the only thing that can happen to these. You can damage them, too.

Dave Buettner

Yeah.

Joe Kerrigan

I'm very afraid that I'm going to damage mine because it's on the back of my backpack on a lanyard.

Dave Buettner

Right.

Joe Kerrigan

It swings around. It gets slammed in car doors and everything.

Dave Buettner

Yeah.

Joe Kerrigan

I mean, I'm glad I have two of them. That's what I'm saying.

Maria Varmazes

You could reconsider where you put it. I'm just saying.

Joe Kerrigan

Yeah, I could. I could. I also want to say, not going to.

Dave Buettner

For those who. Who. Those who have never crossed paths with Joe, first of all, he brings his backpack with him just about everywhere.

Joe Kerrigan

Yeah.

Dave Buettner

But also, his backpack weighs about 400 pounds.

Joe Kerrigan

It's very heavy. Yes.

Maria Varmazes

So you're one of those.

Joe Kerrigan

Cannot pick it up. When I say, hand me my backpack, she goes, no.

Dave Buettner

Nobody has ever said, hey, Joe, toss me that backpack. No. So anything attached to it is a crushing risk for sure.

Joe Kerrigan

Absolutely.

Dave Buettner

Yeah. All right, well, thanks for the kind words about Maria. And the interviews aren't necessarily gone forever. We've just sort of changed modes where when we brought Maria on the show every week, we wanted to make sure that we had enough time for Maria to do the things she wants to do and for three of us to each tell our stories. So that pushed the interviews aside, but we're still open to them. So when a really interesting interview comes along that we think is great for the show, then we will include that. So not necessarily gone forever, but for the most of our episodes will be interview free. From this point on, we traded the interviews for one Maria. And I think it's been a good.

Maria Varmazes

Trade, so hope it was a good choice.

Dave Buettner

A Maria to be named later. Yeah, no, I think it's been great. So that's where we are. All right, well, that is our follow up and of course we would love to hear from you. If there's something you'd like us to discuss on the show, you can email us. It's hackinghumans2k.com. All right, let's get to our stories here. I'm gonna lead things off for us and I wanna talk about the honey scam.

Maria Varmazes

Yeah.

Joe Kerrigan

Now, I think I see this in my new neighborhood. It's where you drive by a house and it says, honey for sale.

Maria Varmazes

Oh, is it.

Joe Kerrigan

Local honey for sale? Is that what this is?

Dave Buettner

No, this is not that.

Joe Kerrigan

Oh, okay. Maybe I'll stop by and actually, what.

Dave Buettner

Do you envision a honey scam would be? Or it's not actually local honey or. Okay, so industrial honey.

Joe Kerrigan

That's quite right. That's right. It's. It's honey honey from some. Some mass produced farm out in the Midwest and they just ship it in a. In a tanker truck and then somebody sells like it local honey.

Dave Buettner

Right, right.

Joe Kerrigan

Which homeopathic people will say local honey will help you with allergies that you have.

Dave Buettner

Yeah, I've heard that.

Joe Kerrigan

I don't know if that's true or not.

Maria Varmazes

I don't know if it works. I've tried it. I don't know if it's worked, but it's nice honey. It tastes good.

Joe Kerrigan

Yeah. I love honey. Honey is one of my favorites.

Dave Buettner

Oh, it's delicious. Evidently it lasts just about forever.

Joe Kerrigan

Yeah, it does. It does not go bad.

Maria Varmazes

Great story, Dave. Love this one.

Dave Buettner

Thanks. This has nothing to do with any of that.

Joe Kerrigan

Right?

Dave Buettner

So remember when our commenter was talking about Joe going too far down a rap?

Joe Kerrigan

Here we are. Look at all these old bunnies.

Maria Varmazes

Maria, save us reeling it for.

Dave Buettner

Okay, so here's what's going on. And I want to preface this by saying at this point in the life story of this scam, the word scam is in quotes because these are all allegations.

Joe Kerrigan

Okay?

Dave Buettner

The accused has not officially made a meaningful response to any of this. So these are allegations. But there's a good amount of verification and backup. And it seems like what is being alleged is going on here, but I just want to frame it that way just so everybody knows this isn't a done deal. So there is a web browser plugin called Honey. And what honey is supposed to do is you install this browser plugin and when you go shopping for things right before you check out, you click the honey Button. And what Honey says they do is they search the web for all the best coupon codes. And so just as you're about to check out, they search the web, they pop up a coupon code. You put that coupon code in and you save some money. That's what it's supposed to do. Make sense? Yes, yes, Maria. Yeah. All right.

Maria Varmazes

Yes, I'm with you.

Dave Buettner

Yep. So Honey is also one of the largest advertisers on, let's call them, influencer channels. So YouTube channels. And we're talking about the big names here. Most of them have been sponsored by Honey.

Joe Kerrigan

Now I'm looking at this lineup of guys and I only recognize two of them.

Dave Buettner

Yeah.

Joe Kerrigan

One of them is one of my favorites, Mark Rober, who I like a lot.

Dave Buettner

Yeah.

Joe Kerrigan

And the other one is MrBeast, who I. Who I have blocked on all of my YouTube stuff. And the only reason I blocked him is because I can't stand seeing his stupid face on the. On the stupid face he makes. You know that stupid face he makes, like, oh, it's a shocked face. He puts it on all of his thumbnails.

Maria Varmazes

Every YouTuber does that.

Dave Buettner

That's like, you got thumbnail face.

Joe Kerrigan

If you do that, I block your channel so quickly.

Dave Buettner

Yeah, I hate it. I installed a plugin that blocks that.

Joe Kerrigan

Oh, did you?

Dave Buettner

Yeah.

Maria Varmazes

Oh, it's rid of the plugin.

Dave Buettner

Yeah. All right, so. And down the rabbit hole we go. So Marquis Brownlee is one of the well known YouTubers who I frequent and he was sponsored by Honey as well. Now, it's worth noting that Honey was purchased by PayPal. So Honey has deep pockets.

Maria Varmazes

They've been around not that long. I feel like they just had a meteoric rise though. I remember when they were new and it just seemed like they got snatched up pretty quickly.

Dave Buettner

Yeah.

Maria Varmazes

Quite amazing.

Dave Buettner

I think that's right. I think that's right. So There is a YouTuber who goes by the name Megalag, who published a video with all of these allegations.

Joe Kerrigan

Awesome name, by the way.

Dave Buettner

So here's what's going on. When you go to purchase something that was recommended by someone online, you often get an affiliate link. And an affiliate link is a special link. Let's just use Amazon as an example because it's easy. It's a special link that connects to that YouTuber or influencer's account. They say, go buy this bottle of facial cream. And when you do, we'll get a small percentage back to support our channel. I think we've all seen that. Yes. And so that is A special affiliate link code. So what the allegation. Allegation number one is that when you go to, let's say, Amazon with that affiliate link and you click on the Honey plugin, Honey replaces the affiliate link with their own.

Joe Kerrigan

I knew that when you started saying that and said the first allegation, I knew exactly where this was gonna go.

Dave Buettner

Yeah. So everything you buy, then the kickback doesn't go to the creator, the person you intended to support. It goes to Honey. So that's allegation number one. And that Honey is not making that clear, that that's what they're doing. Allegation number two is, as we mentioned, Honey claims to the user. To the user of their plugin that. That they are going out and searching the web for all of the best coupons. Well, if you are a Honey affiliate, someone partnering with Honey, let's say you are a brand like Coca Cola.

Joe Kerrigan

Okay.

Dave Buettner

All right. You can partner with Honey. And part of your agreement is that Honey will only present the coupons that you want them to present.

Joe Kerrigan

Hmm.

Dave Buettner

So let's say there's a 20% Coca Cola coupon floating around on the web for very special reasons.

Joe Kerrigan

Right.

Dave Buettner

But you run Coca Cola, and you only want a 5% coupon to show up on Honey.

Joe Kerrigan

Right.

Dave Buettner

You partner with Honey, you tell them, in exchange for only presenting this 5% coupon, we will partner and, you know, you'll get a. And Honey will get a kickback for that deal as well. So the notion that Honey is searching the web for all the best deals and coupons isn't necessarily true.

Maria Varmazes

Yeah. I'm not surprised, because if they partner.

Dave Buettner

With a company, they only present the deals that that company wants them to present.

Joe Kerrigan

It seems like way more than shady, you know?

Dave Buettner

It does. Yeah, it does seem that way.

Maria Varmazes

And yet it's not surprising, is it?

Joe Kerrigan

No, absolutely. You know, that's a good point, Maria. I am absolutely not shocked at any of this.

Dave Buettner

No. We all respond with learned resignation.

Joe Kerrigan

Right, Right.

Dave Buettner

Another thing. Another good thing ruined.

Joe Kerrigan

Yeah.

Dave Buettner

Yeah.

Maria Varmazes

Made credible, Right?

Joe Kerrigan

Yep.

Dave Buettner

Incredible. So many of the original folks who had sponsorships from Honey, for example, Marque Brownlee has posted a video basically saying, if I knew they were doing this, I never would have allowed them to sponsor. And I suggest that everybody uninstall the Honey plugin.

Joe Kerrigan

I imagine that these influencers are all losing revenue to this app.

Maria Varmazes

Yeah.

Dave Buettner

As well. Absolutely.

Maria Varmazes

Very likely. Yep.

Dave Buettner

Absolutely. Absolutely. So what do you guys make of this?

Joe Kerrigan

It's like a pack of weasels that run a company that's.

Maria Varmazes

There have been so many browser extensions like this, like Honey. I mean, I think Capital One makes one. I get advertisements for it all the time that do the similar. I'm not saying they do the cookie stealing, but the whole running coupons in for you, they're just a dime a dozen. So I don't know, it just doesn't surprise me that they're scammy at all. I never wanted one on my browser, but I get. They're everywhere. I mean, they're just. People are getting bombarded with them. So I don't know, it just speaks more to the, again, incredification of everything on the Internet. Like, Right. Yeah.

Joe Kerrigan

I think I may have gone looking for coupon codes like a total of four or five times. And every time I go looking for a coupon code for whatever it is I'm buying, I quickly get disgusted and just like, stop looking and just go, this is all just scam. I'm just going to pay the extra 10%. I don't care.

Dave Buettner

For your dignity. Right?

Joe Kerrigan

For my dignity. Insanity.

Dave Buettner

Yes. Right. Yeah. I've done the exact same thing. There are times when I've definitely gone looking for coupon codes, and most of the time I'm not successful. Either the coupon doesn't work or it's expired, or who knows? But I can understand this. It's interesting to me that someone as big as PayPal is behind this now. There is a class action lawsuit.

Joe Kerrigan

Good.

Dave Buettner

At the end of last year, there were a group of lawyers representing some of the content creators who partnered with Honey have filed a class action lawsuit. They're claiming damages in excess of $5 million.

Joe Kerrigan

Oh, good.

Dave Buettner

So we'll see how that plays out. The other thing I've been thinking about this is I wonder how far and wide does this story go? Does it spread far enough to actually have a meaningful effect on Honey? And should the class action lawsuit not succeed, do they change anything about how they're doing business?

Joe Kerrigan

I say if the class action lawsuit does not succeed, they don't change anything. Yeah, yeah, that's probably what's going to.

Maria Varmazes

Happen because I'm sure they're saying they've done nothing wrong, that they provide an incredible value to customers and we're saving you money and time. That's why we're great. So, yeah, they've done nothing wrong, I'm sure in their. Their eyes.

Dave Buettner

Yeah. This idea of stealing the affiliate links, though, rubs me the wrong way.

Joe Kerrigan

Really does. Yeah.

Dave Buettner

I mean, it's just. It's just awful. How. How could anyone think that's the right thing to do, right?

Joe Kerrigan

I mean, if you're on your web, on your phone, or on your web browser and you click on an affiliate link and you think you're supporting the content creator, and it turns out because you have this app installed or this extension installed, you're just supporting PayPal.

Dave Buettner

Right?

Joe Kerrigan

Right.

Maria Varmazes

Who doesn't need that money?

Joe Kerrigan

Yeah, they don't need that money.

Maria Varmazes

That content creator does. But PayPal. PayPal's good. Yeah, yeah, it's pretty gross. But I think a lot of it is with this affiliate marketing and a lot of these code trackers and because it is so obscure to the end user and for most people who are not professionals at this, I think a lot of people figure they can get away with doing shady stuff like this. And honestly, they can, because people just don't look at this stuff. A lot of it, they don't understand how it works. So people just like, I'll just do it until somebody figures out that I'm doing something wrong. Lo and behold.

Dave Buettner

Yeah. All right, well, we will have a link to that story in the show notes. Maria, what do you have for us this week?

Maria Varmazes

Well, a lot of folks were home for the holiday season, and I know for me, that tends to be the time of year where I'm doing a lot of family tech support. And, uh, I was looking on Reddit's scam subreddit, and I, I, I noticed a trend of a lot of people posting, hey, my mom or dad is messaging someone they think is Elon Musk, and how do I get them to stop giving them money? And it just seems like a lot of those posts popped up over the holiday season. It was quite amazing. Um, and that sort of was a natural segue in my mind to a story that CBS just put out about a woman named sue who is 66 and used match.com to find a traveling companion in her retirement, connected with a man named Santos. And of course, this is a romance scam. Spoiler alert. And over the course of several weeks, he romanced her. He wrote her a poem. It was very romantic. His first money ask was for $40,000 for to help with a job certification. And sue has $2 million in her retirement savings. So she figured 40K, someone she's falling in love with, she could manage it. And over the course of some more time, this scammer scammed her out of all of her $2 million of life savings. It's gone in that romance scam, which is just unbelievable. And the reason CBS was highlighting Sue's story is that there's. There's two points. One is that the FTC said in 2024, over 64,000Americans alone were hit by romance scams. Like what sue went through with the damage totaling over $1.1 billion, and that's in 2024. And that number, $1.1 billion, is double what it was just four years ago for romance scams damage, which is just. Speaks to the efficacy of how horrible these things are.

Joe Kerrigan

And these are only the reported numbers.

Maria Varmazes

And these are only the reported numbers, too. Yeah. This is what the FTC knows. Right. So I'm.

Dave Buettner

We. What.

Maria Varmazes

It's probably quadruple that. I mean, I don't. I mean, I'm making that number up, but honestly, it's. It's probably so much larger. And they also said that about half of online daters like sue, who is using Match say they've come across scammers looking for money. So people who are looking for romance in sort of legitimate places, so to speak, they're coming across scammers way more than I would have guessed.

Dave Buettner

I.

Maria Varmazes

When I used online dating to meet my husband 14 years ago, I did not meet, as far as I know, a single scammer. And if my husband's a scammer, the scam's gone a long, long time.

Joe Kerrigan

Right.

Dave Buettner

He's all.

Joe Kerrigan

He's playing along.

Maria Varmazes

He's definitely all in. We've got a kid and everything.

Joe Kerrigan

I've got to have one of my children.

Dave Buettner

Yeah.

Maria Varmazes

Like, I got our hooks in. So this online dating being the realm of scammers and, you know, the place where they go to find new victims is, you know, a known quantity. We've talked about it. So there is some legislation floating around that is actually bipartisan called the Online Stadium Online Dating Safety act, that is hoping to try and address or at least stem the flow of all these online dating scams. And it's very easy for me to be cynical and go, this doesn't go far enough. But I applaud the fact that someone's actually trying to do something. And the bill says it would require online dating service providers, either mobile applications or websites, to provide users like sue with a fraud ban notification if the person they've been talking to has actually been identified as a scammer and then banned through the service. So it may not necessarily stop a scam in progress, but at least the thinking is if they've talked to this person, they know retroactively this person was a scammer, or, you know, if. If if the scam happens to be stopped midway, then they'll know, hey, this guy didn't just disappear, he was banned because he was a scammer.

Joe Kerrigan

Right.

Maria Varmazes

So, yeah, it's limited in its scope, but it does it. It's hoping to do something.

Joe Kerrigan

One of the first things they do, these scammers, is they try to move you off this platform because they know they're going to get banned.

Maria Varmazes

Yep.

Joe Kerrigan

So that's where the scam, you know, they'll go to a third, another thing like WhatsApp or Signal or something, and they'll, they'll scam the people. That's where they're actually conduct the scam.

Maria Varmazes

Yes.

Joe Kerrigan

So, and that can take some time. So if this can, if this can reach the victim, this notification can reach the victim. Hey, we've identified this person as a scam account. You should stop, stop communicating with them. And if you send them any money, you should call the police.

Maria Varmazes

Yeah, I wonder, I mean, we've talked about these kinds of romance scams many times about how all attempts to sort of reason somebody out of something they didn't reason themselves into is. Is very hard. But I do wonder if, if a message sort of from an authority figure like the service that one used, if that might be potentially effective in ways that we haven't seen before. Because again, I can be very cynical about this. Doesn't go far enough. You know, as you mentioned, Joe, these scams are taken to other platforms. So what about, you know, what about meta platforms? What are they doing? But again, if you get that official notification, we identified this person definitively as a scammer. Maybe that would cause enough friction. Maybe. So anyway, the status of this bill was that it passed the House and it did not yet pass the Senate. Fingers crossed. It looks like it's going to be floated in the upcoming Senate session, so to speak. So we'll see if that actually goes anywhere. But it's interesting that at least two legislators, one's from California, one's from Colorado, they're trying. So I would like it to have more teeth. But it's nice that somebody's thinking of it and here's hoping it goes somewhere.

Joe Kerrigan

Yeah. And they are bipartisan, the sponsors of this bill, one is a Democrat, one is a Republican.

Maria Varmazes

Yep.

Dave Buettner

It's so hard to be anything but cynical about all this stuff, though, Right? Like, I mean, just, I don't know, it's hard to see anything. I guess I just don't have confidence that there's much that can move the needle, you know? Like, it's great. We're trying. We're gonna do stuff. But when we're dealing with folks who are out, literally out of the reach of law enforcement by virtue of most of them being overseas.

Maria Varmazes

Right, Yep.

Dave Buettner

And no way to stop them from accessing folks here.

Maria Varmazes

Yeah, yeah. It's sort of like the robocalls that have just made phones pretty much useless for everybody. Nothing has really helped. I mean, I use an app that sort of helps stem that tide, but I still get these spam calls all the time, and it's been going on for years now, and I've sort of lost any hope that this is going to get better. And I'm trying not to lose hope in this case, but, I mean, over a billion dollars a year, again, that we know about. I mean, this is an unbelievable amount of money.

Dave Buettner

Absolutely. Well, cross our fingers and hope, right?

Joe Kerrigan

Yeah, yeah.

Maria Varmazes

What else can you do?

Dave Buettner

Yeah, exactly.

Joe Kerrigan

It's all going downhill. The entire content of the Internet is just being. I'll give you another example. I went looking for something on YouTube the other day, and, like, the first three videos I click on are just AI slop of somebody reading a script, some AI voice reading a script. And it's just getting put up on YouTube because it's getting through the search engines and it's just all awful. The content on the Internet is just going downhill.

Maria Varmazes

Yeah, I miss the old Internet.

Dave Buettner

Yeah, I know, I know. I just. I think about the. I mean, we. It's hard to imagine, but like, when I was a teen. Joe, when you and I were teenagers. Right. So in the 80s, there really was this sense of techno optimism. Like, we thought computers and the Internet were going to be a force for good. And, you know, people were going to have to work less and there'd be more leisure time, and all these good things were going to happen because all the drudgery of life would be taken away from us by computers. And here we are.

Joe Kerrigan

Right.

Dave Buettner

It did not work out that way.

Joe Kerrigan

I, for one, welcome our new computer overlords.

Maria Varmazes

Technopessimism is techno dystopianism. That's not a word.

Dave Buettner

Right, Right. All right, interesting stuff. And we will have a link to that story in the show notes. Before we get to Joe's story, let's take a quick break to hear a message from our sponsor foreign. So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up, where traditional cybersecurity tools require you to create a list of things you don't want to run. Threat Locker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust Endpoint Protection platform deploys in a learning mode that analyzes the operations of your company using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show. All right, we are back and Joe, it is time for you to share what you've got for us. Why don't you go ahead there?

Joe Kerrigan

I do want to say before we go on to my stories here, that what you were just talking about, the techno pessimism. William Gibson nailed the techno pessimism in the 80s 90s. So if you read the Sprawl trilogy, very much like he accurately predicted a lot of what was going on here.

Dave Buettner

Oh, interesting.

Joe Kerrigan

Okay, so let's see. First, I want to remind everybody that the scammers liturgical calendar has changed seasons, we are out of delivery and holiday fraud, and now it's time for tax scam season.

Dave Buettner

Oh, goody.

Joe Kerrigan

Right. So keep an eye out on your inboxes for anything that looks like it comes from the irs. It probably doesn't. Unless you have a way to communicate with the IRS on a regular basis. They're going to send you letters. Read those, open them. They will come on official letterhead and they will always ask you for money in the form of checks. They will never say send me cryptocurrencies.

Dave Buettner

Send me gift cards.

Joe Kerrigan

That is not how you pay the irs.

Dave Buettner

No.

Maria Varmazes

Yes. No.

Dave Buettner

Okay.

Joe Kerrigan

Not yet. That's right.

Dave Buettner

Well, didn't we have a when we had a listener write in was it last show who talked about how you could pay some state taxes to pay with cryptocurrency?

Joe Kerrigan

Yep.

Dave Buettner

This does not seem like a good thing to me.

Joe Kerrigan

Ultimately, if you have that option, don't do it. Just don't.

Dave Buettner

Don't encourage them.

Joe Kerrigan

Don't encourage them.

Dave Buettner

Right, Right.

Joe Kerrigan

Exactly right. Don't encourage them. And you know, maybe. Never mind. I was going to say maybe somebody should try to go in and defraud the governments, but don't do that. Don't do that. Just try to get them to give your private keys.

Maria Varmazes

Really?

Joe Kerrigan

And wow, don't do that. Of course, shouldn't ever do that idea. But I mean, can you imagine what can you imagine that use case. Right. Or that, that, that, that. What's the threat model? That threat model. That's the one I'm thinking. I'm not used to. You know, you have a government that actually collects money in taxes in crypto. And somebody goes, hey, I'll bet they're holding a lot of money in crypto. And I could sit there and get the, if I can, if I can socially engineer their, their crypto keys out of, out of somebody that works there, I can get the payments and just forward them onto my wallet.

Dave Buettner

Yeah.

Joe Kerrigan

And be done with it.

Maria Varmazes

And there's nothing you can do about it.

Joe Kerrigan

And there's nothing you can do about it.

Maria Varmazes

Now send it to Hollywood. Joe, you've got a movie idea right.

Joe Kerrigan

There that's very short movie. That's pretty much it. My story actually comes from the BBC and the headline is Madoff Fraud Victims Get 4.3 Billion as Fund completes payout. So it's talking about most recently there's the Madoff victim front. Now let's recap. Bernie Madoff, you know who Bernie. Everybody remembers Bernie Madoff. He died in prison in 2021. But back in 2008 or 2007, somewhere around that time, his Ponzi scheme, as it was called, which I think it accurately was called, or accurately was described as a Ponzi scheme, ran out of money and he couldn't pay victims or pay, pay his investors anymore.

Dave Buettner

Right.

Joe Kerrigan

And it came to light that it was a Ponzi scheme. He wound up getting a 150 year sentence. Good. Him, he didn't wind up serving nearly 150 years.

Dave Buettner

He showed them.

Joe Kerrigan

Yeah, he did. So, yeah, he was only in prison from 2009 to 2021 when he passed away.

Dave Buettner

Okay.

Joe Kerrigan

So the latest payouts being made from the victims fund, the MVF Madoff victim fund is $131.4 million and will bring the grand total of money that's been paid to the claimants to about $4.3 billion. Now before people get upset and think about, you know, this is just rich people getting away with more stuff, there were 40,930 claimants, which means the average amount that people had invested with this Ponzi scheme was around $100,000.

Dave Buettner

Okay.

Joe Kerrigan

These were not big investors. These were people that probably had a sizable portion of their nest egg. I'm. I'm speculating here, but I can see where. These were people who had a sizable portion of their nest egg put in this fund, and when this thing collapsed, they essentially lost all of it. But over time, over the last 15 years or so, the MVF estimates, it has been able to recover 94% of what it's calling the victim's proven losses when they wrap up all the distributions here in this calendar year, 2025. So the downside is that. Or the upside is people are gonna get 94% of their money back. The downside is they've lost the 15 years of time on that money, which is the more valuable part to the investor.

Dave Buettner

Right.

Joe Kerrigan

Because, you know, by now that could have doubled once, maybe twice, depending on how you invested it properly.

Dave Buettner

Right.

Joe Kerrigan

So it's not. People are not getting back everything they've been robbed that has been taken from them here, but they are getting back their initial investments, or at least most of it, it seems.

Dave Buettner

Huh. Have either of you ever been approached with anything resembling a Ponzi scheme?

Joe Kerrigan

Not a Ponzi scheme. No, no, no, not that. We had a listener send something in, and I didn't want to put it in here because it's all still in litigation right now. Maybe I'll talk about it once it goes through trial and the outcomes come out. But, you know, there's. You know, the idea of a Ponzi scheme is you start telling people that you're going to pay them some kind of astronomical return on your investment. And the funny thing is that usually what people are saying is, like, 8% return on investment. And there are investments out there that will pay that or better, that are legit, that you can just go out and buy. Now, they don't guarantee those kind of returns.

Dave Buettner

Right.

Joe Kerrigan

They're never guaranteed, but, you know, and of course, your investment can lose money. I'm not giving out investment advice on this podcast. I'm not qualified to do that.

Maria Varmazes

Yeah, well, the benefit of being a millennial in this case is everyone I know is broke, so I've never been approached about financial stuff.

Joe Kerrigan

Yeah, that's. That's another thing. But the idea is they say we're going to give you, like, 10% guaranteed returns every year, and then the entire scam relies on them being able to bring more people in.

Dave Buettner

Right.

Joe Kerrigan

Because the initial investors are not getting the 10%. They're just getting money that's being paid into the. Into the fund, given to them as. As. As dividends or returns or whatever.

Dave Buettner

Yeah.

Joe Kerrigan

And of course, the, the, the way this works is the people who get in early actually don't get hurt as bad, but the people who get in late are the ones that get, get hurt the most. Yeah, they lose just about everything.

Dave Buettner

I guess the closest to this is there have certainly been a lot of multi level marketing schemes over the years that.

Joe Kerrigan

Yes.

Dave Buettner

If, if not being this, they rhyme, you know. Right.

Joe Kerrigan

Well, yeah. Pyramid schemes and Ponzi schemes are very, very similar. So actually I did, I did a little bit of a refresher on this. Pyramid schemes are, you know, the, what was the, the, the eight square or eight ball. The eight ball game or the, you know, the airplane game where everybody pays $1,000 to get on an airplane if you're a passenger.

Dave Buettner

Yeah.

Joe Kerrigan

And then there's four levels. There's pilots, there's one pilot, there's two co pilots, there's four crew members, and then there's eight passengers.

Dave Buettner

Okay.

Joe Kerrigan

The eight passengers pay in and they all pay $1,000. So they give $1,000 and that all goes to the pilot who then takes the money and disappears. And then the passengers have to go out and find eight more passengers. They become crew members, the co pilots split the pyramid and they become pilots. So they get the next $8,000. And it sounds like it's great. Right. But if you do this 20 times, there's not that many people on the planet.

Dave Buettner

A dear friend of mine said once about multi level marketing, the problem with multi level marketing is that eventually you run out of friends.

Joe Kerrigan

Right, right. Very quickly, actually. Yeah.

Maria Varmazes

Yeah.

Dave Buettner

Because it really does rely on that. Yeah.

Joe Kerrigan

And it alienates people. I mean.

Dave Buettner

Yeah.

Joe Kerrigan

Like I've talked about this. We have somebody in our family who is big in the multi level market. We don't talk to him anymore.

Dave Buettner

Right.

Joe Kerrigan

And I don't care if I ever see him again.

Dave Buettner

Right.

Joe Kerrigan

You know.

Dave Buettner

Yeah, it's, it's true. I mean, it's, it's. And it can be sad. Yeah. Yeah, I understand that. Avoidance. That's no fun.

Joe Kerrigan

Yeah. So it looks at, looks like these, the, the people that got hurt in the Madoff scam are not, are getting made almost whole, although they are, they have lost a lot of time.

Dave Buettner

Yeah.

Joe Kerrigan

And we'll put a link in the show notes to the story on the BBC.

Dave Buettner

I think it's remarkable how much they've gotten back, actually.

Joe Kerrigan

Yeah. I'm impressed.

Maria Varmazes

Yeah. I thought they were all ruined by this.

Joe Kerrigan

He had other assets. Yeah, he had other assets that they were able to collect on.

Dave Buettner

Wow.

Maria Varmazes

Nice. Okay.

Dave Buettner

All right. Well, we Will have a link to that in the show notes. All right, Joe, Maria, it is time to move on to our catch of the day. All right, so our catch of the day comes from the scambait subreddit over on Reddit. This is called John Part 1 and it goes like this. Maria, this is you and me. I will start things off. Here we go. The person gets out of the blue text that says, hello, my friend, how are you doing today? And how's the weather conditions there?

Maria Varmazes

Sorry, do I know you?

Dave Buettner

Nice connecting with you. I'm John by name.

Maria Varmazes

Okay. Where are you from?

Dave Buettner

I'm from Portugal. Currently live in Denver, Colorado.

Maria Varmazes

Oh, wow. So how do I know you? You called me friend.

Dave Buettner

Where are you from?

Maria Varmazes

Do you always ignore questions? I'm from the uk.

Dave Buettner

Everyone is my friend, including you. I'm to meet new friend, chat and get to know you better already. Beautiful guy, beautiful country.

Maria Varmazes

You live uk people are not friends until they know one another. Saying hello doesn't make you friends. Where in the UK have you been?

Dave Buettner

I have been to Manchester city. What city in UK do you live?

Maria Varmazes

I don't live in a city.

Dave Buettner

So where do you live, if you don't mind?

Maria Varmazes

I live in a small village.

Dave Buettner

Okay, that's cool. How's your family, your husband and kids? Hope all is well.

Maria Varmazes

I don't have a husband or kids.

Dave Buettner

Do you live alone?

Maria Varmazes

Yes, I live alone.

Joe Kerrigan

Does anybody else get really creeped out by that question?

Dave Buettner

Do you live alone?

Maria Varmazes

I'm like, I would never answer these questions. My goodness.

Joe Kerrigan

Wow. That one, just like that. I would do that. There's somebody behind me waving a red flag and that's all I see.

Dave Buettner

Okay. I'm divorced. Have been divorced since two years now. I live alone. I don't have any kids.

Maria Varmazes

Oh, why did you get divorced?

Dave Buettner

It was a long story, my friend. In everything that happened in the past, life goes on. You seem like a very nice and easygoing person. What do you do? I mean, what do you do for work, if you don't mind?

Maria Varmazes

Well, it's also important to talk about these things. I'm an accountant. And you?

Dave Buettner

Awesome job. I'm a contract worker. I work as offshore. I do all types of constructions, building of oil rigs and pipelines.

Maria Varmazes

Oh, wow. So you work for a large company right now?

Dave Buettner

I'm currently in Gulf of Mexico working as offshore. I has a contract here and have been here one month, three weeks and some days now.

Maria Varmazes

I wasn't aware they were building more rigs there. How long will you be there for.

Dave Buettner

I will be here for more 30 days. My job is on progress. I will like to know more about you but I don't usually chat here due to my job. I don't know if we can chat in another platform. Get to know each other more better if you don't mind.

Maria Varmazes

There it is.

Dave Buettner

Hopefully to meet you someday in person.

Maria Varmazes

Well, I have Google Chat.

Dave Buettner

Okay, let me have your google chat emailmail.com. okay, I will text you on Google chat. I sent you messages on Google Chat. Did you got my message on Google Chat?

Maria Varmazes

Yes. Oh no, it keeps going.

Dave Buettner

Hello, it's me, John. Hello.

Maria Varmazes

Hello. How are you?

Dave Buettner

I'm fine, thank you. How are you? And how's the weather conditions there?

Joe Kerrigan

So now he's just copying and pasting from the same part of the script.

Maria Varmazes

Oh my God.

Dave Buettner

I started over.

Maria Varmazes

I'm fine. And the weather is normal for the time of year. Can you send one photo please? Only one?

Dave Buettner

Okay. And it's a pretty nondescript, I'd say older gentleman with closely clipped graying hair. Looks pretty normal to me.

Maria Varmazes

And then I send back.

Dave Buettner

Who knows what.

Maria Varmazes

I guess. Yeah, thank you. We aren't teenagers so we don't need to send multiple pictures.

Dave Buettner

You look very much beautiful and attractive. So tell me more about yourself. How long have you been living alone?

Maria Varmazes

I've lived alone for 18 months. I was with my ex partner for 17 years. But he met and fell in love with a man. We are still friends though.

Dave Buettner

Well, I'm sorry about that. Where did you meet your man and how do you feel living alone all this months?

Maria Varmazes

We met through mutual friends. I feel fine living alone. What about you?

Dave Buettner

Well, been lonely is kind of hard for me. Ever since I got divorced, have been single, living alone. Trying to live my best life and be happy with what life offered me.

Maria Varmazes

Don't you have friends?

Dave Buettner

Yes, I have friends, but they are all married. Do you live in rented apartment or a house?

Maria Varmazes

You can rent a house or own an apartment. I own my house.

Dave Buettner

Okay. That's nice. Do you have neighbor that lives close to you and how many bedroom house? Two bedroom house with beautiful swimming pool on it.

Maria Varmazes

Does it matter how big my house is? Is that important to you?

Dave Buettner

Not at all. Just that I'm interested to get to know you more. Hopefully to meet you someday in person. You seem like a very nice and easygoing person with sense of humor.

Maria Varmazes

Well, we can get to know each other, but the size of my home is irrelevant to that. So have you been on any dates lately?

Dave Buettner

No, I haven't. How old are you, if you don't.

Maria Varmazes

Mind, I am 59 and you. Goodbye.

Dave Buettner

Sorry, my friend. I have been very busy with work here. I'm 67 years of age.

Joe Kerrigan

No, he's not.

Dave Buettner

I always got busy with my job. I text whenever I'm free and less busy with things here. Hello, how are you?

Joe Kerrigan

How's the weather?

Maria Varmazes

Yes, that's why you read my book what is Happening? Yes, that's why you read my message and didn't reply.

Dave Buettner

I'm sorry about that. How are you doing today and how's your night? Hope you slept well.

Maria Varmazes

I'm fine. And you?

Dave Buettner

I'm fine, thank you. What's the time? Where you live and where. Oh, and what are your plans?

Maria Varmazes

Geez, it's 9:44. I'm just staying home. And you, man, you're in danger, girl. What are you doing?

Dave Buettner

Okay, same here. All right, we're gonna wrap this up. This is mistake.

Maria Varmazes

I can't.

Joe Kerrigan

This is long.

Dave Buettner

Goes on forever.

Joe Kerrigan

So this is like someone's first day on the job at the romance gaming factory.

Dave Buettner

Yeah. Wants to make an impression on the boss.

Joe Kerrigan

Right?

Dave Buettner

Just hanging in there for ages. I'm just scrolling through here, trying to get to the end. So here's the last page. We'll start here. He says, I have been with my job. Besides, I made a promise to myself that I will navy settle for less. And I pray and hope to meet my soulmate someday and retire from my job so my family can enough of my time. I'm not getting any younger and don't want to die single.

Maria Varmazes

Have you ever dated a man?

Dave Buettner

Ever since I got divorced, life hasn't been easy for me. Living alone without a woman to call my soulmate. Why should I date a man?

Maria Varmazes

I'm just asking you.

Dave Buettner

I can't date a man. And then it ends. So I think you found this scammer's kryptonite. Whatever.

Joe Kerrigan

Right.

Dave Buettner

Whatever. After. Oof.

Joe Kerrigan

That was long. Arduous.

Dave Buettner

It was.

Maria Varmazes

Why do they want to know how many bedrooms this person has in their house?

Joe Kerrigan

That might be. Actually, that might be a way that they can gauge how much money the person has. So they decide whether or not they want to continue on with the scam.

Dave Buettner

Right.

Joe Kerrigan

You know, they say I live in a house. Bedrooms. Right? Yeah.

Dave Buettner

Yeah.

Joe Kerrigan

Right.

Dave Buettner

I rent a studio apartment and I'm barely getting by.

Joe Kerrigan

Right.

Dave Buettner

They're not gonna spend as much time with someone who says, you know, I've never counted the number of bedrooms in my house.

Joe Kerrigan

So many. My dead husband has so much money.

Dave Buettner

The servants tell me. There are wings to the estate that I have yet to visit. So I'm looking for some weird voice.

Maria Varmazes

Coming from the attic. Some wailing.

Dave Buettner

That's right. There's a room. I know there's a room on the other side of the campus where we keep all of the gold, but I've never actually visited it.

Joe Kerrigan

I've heard it's very bright in there.

Dave Buettner

That's right. It's right next to the diamond vault.

Maria Varmazes

Sometimes I do giant leaping jumps into it and go swimming in the gold.

Dave Buettner

That's right, yeah. Are you familiar with Scrooge McDuck? All right, that is our catch of the day. And of course, we would love to hear from you if there's something you'd like us to consider.

Joe Kerrigan

Hopefully something shorter.

Dave Buettner

Yes, Please email us. It's hackinghumans2k.com and of course, we want to thank this week's sponsor, Threat locker. Go to threatlocker.com HH and check out their Zero Trust endpoint protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices. That is our show. We want to thank all of you for hanging in there. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner.

Joe Kerrigan

I'm Joe Kerrigan.

Maria Varmazes

And I'm Maria Varmazes.

Dave Buettner

Thanks for listening. Satisfaction.