Hacking Humans – “Scammers gonna scam.”

Podcast: Hacking Humans (N2K Networks)
Date: January 22, 2026
Hosts: Dave Bittner, Joe Kerrigan, Maria Varmazes
Theme: Deception, influence, and social engineering in the world of cyber crime

Episode Overview

This episode dives into recent developments in social engineering scams and explores how scammers use emotional manipulation and evolving tactics to trick individuals and organizations. The hosts analyze current phishing trends, share insightful feedback from an IRS special agent, and recount real-life scam experiences—including an Uber driver scam and the latest “rage bait” phishing targeting business platforms.

Key Discussions & Insights

1. IRS Criminal Investigation Feedback: The Real Protocols

Segment Start: [09:45]

• Listener Feedback: A comprehensive email from “Tim,” a special agent in IRS Criminal Investigation, responds to previous misconceptions discussed on the show about IRS communication procedures.

• Clarification:

  • Criminal Investigation agents do show up unannounced, make cold calls, and sometimes use email.
  • Verification of agents can be done over the phone or in person, but photos of badges cannot be sent.
  • For in-person meetings, the safest venues are public, official buildings—local IRS or U.S. attorney’s offices.
  • Left business cards are normal if contact isn’t made.
  • For civil IRS matters: If the communication doesn’t fit the usual pattern (letter, call, or email from someone you’ve already interacted with), treat with caution. Never pay with gift cards or Bitcoin.

• Notable Quote:
  “We in criminal investigation 100% show up to people’s houses unannounced… or send an email to initiate contact—which are all things that we said they don't do. So we were wrong.” (Dave, [11:12])

• Lively banter follows about trust, public meeting places, and the practical realities of IRS investigations.

• Takeaway: Scammers prey on confusion about government communications—Tim clarifies truth from myth, offering concrete verification tips and confirming that scammers are persistent in exploiting public uncertainty.

2. Evolution of the SendGrid Phishing Campaign: The Rise of Rage Bait

Segment Start: [17:05]

• Background: Since 2020, scam emails have targeted users of mass email services like SendGrid and Mailchimp by compromising accounts and sending credential theft emails.

• Old Tactics:

  • Compromised SendGrid accounts led to phishing that mimicked real support requests (“your account is compromised,” etc.) with the goal of stealing login data.
  • The scam chained by hijacking further SendGrid users—a recursive "phishception."

• New Tactic: “Rage Bait” Phishing

  • Instead of fake support issues, phishers now send emails inflaming strong emotions—e.g., "We'll add a Support ICE (Immigration and Customs Enforcement) donation button to your emails" with an opt-out link (the attack vector).
  • Other variants: Pride or BLM footers "automatically added" to emails, targeting both ends of the political spectrum.
  • The emotional “rage bait” is designed to panic recipients into clicking malicious links and handing over credentials.

• Notable Quotes:

  • "This is remarkable because... a phish using rage bait as its hook... I guarantee you we're going to see a lot more of this kind of tactic." (Maria, [22:55])
  • "This would 100% have worked on me... I would have panicked so quickly." (Maria, [23:52])
  • "This is what we always talk about, using your emotions to short circuit your critical thinking." (Dave, [22:58])

• Discussion: How this tactic casts a wide net by provoking politics, fear of customer backlash, or workplace panic—especially hitting lower-level employees who may act impulsively to “fix” an issue.

• Recommended Defenses:

  • Enable 2FA (now available on SendGrid, though not always required).
  • Use unique, strong passwords to prevent account takeovers through credential stuffing/reuse.
  • To verify email changes: Don’t click direct links—navigate to your account via a separate browser window.
  • Beware of decisions made under emotional duress—pause and critically evaluate before acting.

3. Cambodia Scam Center Crackdown

Segment Start: [28:18]

• Quick Update: Amid global concern, Cambodia claims it will continue dismantling scam centers even after recent high-profile extraditions.
• Key Fact: Regional scam centers are responsible for billions in fraud affecting victims worldwide. Efforts to eradicate are ongoing and complex.

4. Uber Driver Support Scam

Segment Start: [29:35]

• Case Study: An Uber driver (alias “Zach”) is called during his shift by someone claiming to be Uber support.
• Scam Mechanism:
  • Told he'd been reported as driving drunk.
  • Instructed to pull over, cancel his ride, and go to Walgreens to take a sobriety test.
  • Forced to pay $300 for the “test” (with a promise of refund if passed, plus threats of permanent ban).
  • Of course, the test was fake—nobody met him at Walgreens.
• Uber’s Statement: They will never call drivers directly; all official communication happens via the app.
• Discussion: Hosts speculate on how scammers source driver phone numbers and manipulate targets with authority, urgency, and threats to livelihood.

5. Catch of the Day: “Dave & Maggie” Chat Scambait

Segment Start: [35:47]

• Community Submission: A hilarious excerpt from Reddit’s scambait subreddit, where a scammer attempts social engineering by relentlessly repeating the recipient’s name (“Maggie”) in nearly every line.
• Memorable Moments:
  • The hosts riff on the awkwardness (“It’s like he’s got Tourette’s and Maggie is his tick.” – Maria, [40:16]) and the futility of overusing rapport-building tricks.
  • Joe recounts old sales “Jedi mind tricks” (like always saying someone’s name) and why they’re ineffective or even insulting when overdone.

Notable Quotes & Memorable Moments

• On verifying IRS agents:
  “If someone needs to verify whether or not an IRS special agent is real, they should meet them in person at a public place, such as the local U.S. attorney’s office, the local IRS office, or a library, and ask to see their credentials and badge.” (Tim, via Dave, [11:35])

• On rage bait phishing:
  “A phish using rage bait as its hook... this seems rather dastardly to me.” (Maria, [22:55])

• On emotional manipulation:
  “Using your emotions to short circuit your critical thinking.” (Dave, [22:58])

• On scammer scripts:
  “This is like the single worst Jedi mind trick that I've ever heard anybody try to say. Like, in sales, just keep repeating someone's name in every sentence.” (Joe, [42:31])

Timestamps for Key Segments

| Timestamp | Topic | |------------|--------------------------------------------------------| | 09:45 | IRS Special Agent feedback on scams/verification | | 17:05 | SendGrid phishing evolution & rage bait technique | | 28:18 | Cambodia scam center crackdown | | 29:35 | Uber driver targeted by support scam | | 35:47 | Catch of the Day—Maggie/Dave scambait transcript | | 40:16 | Reflection on rapport-building “Jedi mind tricks” |

Tone & Style

Throughout, the hosts leverage their signature blend of humor, candid storytelling, and practical security advice. Maria’s enthusiasm, Joe’s skepticism, and Dave’s wry observations create a relatable and approachable discussion on sophisticated as well as boneheaded scams.

Practical Takeaways

• Government agencies may contact you in ways you don’t expect; always verify identities in neutral, official settings.
• Phishing evolves: scammers are weaponizing political and social outrage—not just fear or greed.
• Emotional reactions (panic, anger, urgency) are signals to pause and think.
• Enable multi-factor authentication everywhere, especially on high-value accounts and platforms.
• Be critical of emails that try to inflame feelings or force hasty decisions.
• Rapport-building social engineering is easy to spot when overdone—train users to recognize manipulative patterns.

For more details and to read the stories referenced, check show notes for resource links. Feedback, scam stories, and phishing attempts can be submitted to hackinghumans@n2k.com.