A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey there, Joe.

C

Hi.

B

Dav N2K colleague and host of the T minus Space Daily podcast, Maria Vermazes. Maria.

A

Hi, Dave. And hi, Joe.

B

We've got some good stories to share this week, but before we get to that, let's look at some of our follow up here. We've heard from several of our listeners. What do we got? Do you want to lead us in here, Joe?

C

Yeah. First, we have a correction for me. Last week, I repeatedly referred to the company that makes ChatGPT as ChatGPT. I should have been calling them OpenAI. Oh. I will not, however, apologize for calling Meta Facebook.

B

Okay, fair. I think it's like calling. What you did was like calling. Not calling. Google. Alphabet.

C

Right? Yeah, I don't want to do that either. Yeah, Still Google.

B

All right.

A

Yeah, forgiven.

B

All right, next up, we have a.

C

We have a. A message from Chris, who is a longtime listener of the show and loves it. He cannot recall if this has been mentioned by name, but his employer uses a company called HOX Hunt, H O X H U N T for cybersecurity awareness training. And he saw this gem this morning and it was a. It's a definition of the term quishing and it says phishing plus QR codes equals quishing.

A

Full body cringe.

C

I mean, I guess I'm not going to fault hawkshunt here because what they're doing is they're trying to educate employees on the terminology that's used.

B

Yeah.

C

This is not a hawkshun.

A

Is that used, though?

C

It is, yeah. It's not a hawkshunt problem. Yeah. Cushing.

B

Oh, yeah. Cushing's the thing.

C

All over the place.

B

Yeah.

A

Oh, boy. Okay.

C

But I hate this term so much.

B

Yeah.

C

But I get why HOX Hunt has it in their. Has it in their training platform. Because that's a term of art, unfortunately.

B

Yeah. It seems like the only people who like these clever little fishing variants are marketing departments.

A

I agree. Yeah. Because there's, there's vishing, there's all these different ones. It's like it's just fishing with extra steps. It's just different flavors of it. Can we just be real? If you ask me out of context, what Is Cushing. I mean, maybe I would guess QR code is involved because of the queue, but it's just not right.

B

I mean, I'd be afraid. I'd be like, oh, gosh, is this a round trip to Urban Dictionary or not? You know, I don't know. What am I getting myself?

C

It sounds like it might be something gross.

A

It does, doesn't it? Or fishing or. Yeah, yeah. There's all sorts of really weird ones.

B

Smishing, smishing. Y Y All right, thank you, Chris. And we've got another bit of follow up here. What do we got, Joe?

C

So it's from Jay who says, hey, Dave, Joe, Maria, My wife just forwarded me this news clip about a scam running in large cities. The tldr that's short for Too Long didn't read, which is what I look for every time because a lot of these articles are too long and I just won't read them. Nothing. Okay?

B

So if you want to wallow in your own laziness, Joe, and brag about it, that's fine.

C

The TLDR is that criminals are sticking cell phones to victims cars. And these cars are usually desirable models. And then they are using the phones and their GPS tracking features to show up at the person's house and steal the car. Which I think is an interesting way to go about stealing a car.

B

Okay.

C

I mean, if you walk up to somebody, right? I mean, you're gonna carjack them, right? Or you're gonna steal it out in broad daylight. It's gonna look kind of suspicious if you're in a parking lot and you're sitting there trying to break into a window or something. But if you can wait until that person goes home and under the COVID of darkness you can go out and steal their car, then I think that's an easier way to do it, I suppose, from a criminal perspective.

A

So there was this. There's a wrinkle in this story that the link, the Jay included a link, and I was reading it, where they also show up to your house and intimidate you into giving back their phone. Which is kind of wild because you know it. Because I was thinking, why would they not just do this with an air tag or something where it's not easily. Right, because that's what I was thinking it was going to be. But they are actually using a phone so they can claim that like you stole their phone, so they have a beef with you, basically. So they're showing up at your house going, you took my phone. I want my phone back.

B

And I'M gonna take your car for good measure.

A

So it's a whole thing. It was like you took my phone and that's sort of like their lead in. But it's odd. Yeah, it's why it seems overly complicated yet again.

B

But is this taking advantage of the fact that phones, most phones have magnets built into them now?

C

Is that my phone does not have a magnet. Does your phone have a magnet?

B

Yeah.

A

Yeah, mine does. Yep.

B

IPhones do.

C

Really?

B

For the wireless charging. Okay. And so, like, that's how my phone. What I use it for is that's how my phone connects to my little, like, dashboard adapter in the car. It just uses that magnetism to click on there.

C

How does that affect the compass and other gyros?

B

Amazingly and head scratchingly, it does not. So the. Yes, the. The magicians at Apple have figured out a way to get around that huge magnetic field and still be able to get the magnetic field of the.

A

They use the accelerometer for the compass, don't they? They don't use an actual magnet.

C

No, they use. They use. The compass has a magnetic sensor in it, or at least mine does, because I. If I'm too close to a piece of metal or if I put one of those pieces of metal in the back of my phone case so that I can stick it to a magnet, which I don't because it messes up the compass. I get a message.

A

It messes up the compass that says.

C

Hey, there's a strong magnetic field or maybe some metal near the. Near the comp. We can't.

A

Well, I'll be danged.

B

All right, I did not know that. And yet another point for team Apple. Wow.

C

I will grant you that.

B

All right, we got one more bit of follow up, and it's coming from inside the house. Joe, what do we got going on here?

C

I think I might have a problem, guys.

B

Yeah.

C

Yeah. There's a picture in the script here of six brand new little chickens, and they're at my house right now chilling out in my garage, which I only recently began unpacking. And I started making some great progress. And my wife and daughter said, ooh, look at all this space. More chickens. So I of course, agreed because I love chickens and I now have six little chicks. We're going to try to integrate them with the rest of the flock. But these are ones that lay colored eggs, like little blue eggs and green eggs. And maybe I'll actually have some green eggs and ham one day.

B

Okay.

A

Oh, what kind of chickens are these?

B

Geez.

C

You asked Two. One is an olive layer. That's the one that lays the green eggs, an Easter layer that lays a blue egg, and then an Americana, which also lays a blue egg.

B

Huh.

C

A different colored blue egg. Okay, so we'll have multicolored eggs along with the Wyandottes, which I've been mispronouncing Wyandotte for a while. I was informed of that one day last week, I think, and they. I think we haven't seen any eggs from them, but my understanding is they lay brown eggs. They may not. I don't know. We'll see.

B

Okay, so are these gonna stay at your house, or are these getting integrated with your daughter's chickens?

C

Probably integrated.

B

Okay.

C

Probably integrated. I mean, I'd love to have six little chickens at my house. I'd have to build a little chicken tractor. It should be fun.

B

Why would you need to build a chicken tractor?

A

It's like a chicken tractor.

C

Oh, a chicken tractor is like a little, tiny chicken coop on wheels.

B

Oh, right.

A

So, okay, so they don't drive it, Right?

C

Well, it depends on how advanced I.

A

Want to get driving farm equipment. I'm like, why would you need that? And also, how does that work? Okay.

B

Yeah, I'm just imagining chickens.

A

I don't want these things.

B

Little cowboy hats, little overalls, driving around in little tractors.

C

Well, you laugh at this, but there was actually a study done in World War II that had pigeons guiding bombs into ships.

A

Well, there you go. And maybe chickens and farm equipment.

C

So maybe I'll. Maybe I'll. I'll come up with something similar that has the chickens move the. Move the tractor around on their own.

B

Why would your coop need to be movable?

C

Because it would be, number one, it's smaller. Right. It's a coop and a run built together. So it's not like what my daughter has is a. Is a very big coop and a very big run. Okay, so the chickens are in there, but that's really expensive. Right. So you can cheaply build a chicken tractor that has a smaller coop for, like, six chickens and then a small run. But you can't have them in that same run every day, all day, every day. You have to move them around the yard, or they'll just destroy the lawn.

B

Oh, I see.

C

So yeah. So you.

A

You get crest or something.

C

Well, I mean, I don't know that they get depressed. It might actually decay the food that's there. But also, they will poop all over the place. These birds do not care about where they poop.

B

Yeah. So you move it around and you don't have to mow the lawn.

C

You probably still have to mow the lawn because these things are going to actually provide nutrients that make the grass grow.

B

I see. Oh, well, nothing's perfect.

C

Yeah.

B

Okay, well, good luck with your chicks. I hope they all survive.

C

So far, so good.

B

I hope you have no snakes in your garage.

C

Ooh, that's a good point.

A

Oh, geez, he's going to run off right now.

C

When they're this big, when they're this big, that's a problem. But when they get bigger, that becomes the snake's problem.

B

Right.

C

A full sized chicken will take one of those things out. They'll go, hey, look at this big wiggly worm.

B

Yeah. I had a friend with a chicken coop and the chicken coop had a black snake who was part of the.

C

Coop, part of, part of the ecosystem.

B

Yeah. So basically the deal was that in exchange for keeping the rodent population under control, which is what the snake did, the snake got eggs.

C

Hmm. So, you know, you'd think he'd be happy with the rodents.

B

Well, I mean, you know, I mean, that was the incentive to not get the snake to move along.

C

Okay.

B

Right.

C

Yeah.

B

So, you know, but you gotta be okay with snakes and not everyone is.

C

I'm fine with snakes, but not around my little chicks.

B

Yeah. All right, I tell you what, let's take a quick break to hear from our show sponsor. We will be right back with our stories. And now a word from our sponsor. ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. And we are back. Maria, you want to start things off for us this week?

A

Yes, I do. All right, so I was delighted to get an email in my inbox just a few days before recording this show, actually. And the subject line was elevate Spotify's global social media strategy as our next vice president sent to me Maria Varmazes in my personal Gmail account. And I was delighted because I said I got a fresh scam in my inbox because ain't nobody want me to be their vice president of anything. So that would be absolutely the biggest giveaway ever. This was a scam.

C

Well, you know, I was listening to on Spotify to one of the great podcasts that's on our network. There are on. On our distribution system. And lo and behold, Maria Vermasses, she sounds like she knows things could happen.

A

Yeah, could happen. So quick, fun fact, nobody's hiring a vice president in a blind email. Like this kind of thing, this is never how that kind of recruitment works. So that is again, like one of the other glaring signs that this is a scam. But I was really kind of excited to get this one in my inbox because I really wanted to see how. What. How this one worked because I know that there have been variants of the Spotify job hire scam that's been going around in the world of marketing and marketing adjacent people, which I have been for quite some time. So the email I got came from Spotify HR and the email specifically was a no reply@appsheet.com and that made me go, okay, that is an interesting little inclusion. And the text of the email had, you know, my name. It was very standard. This is the pitch for this job we're trying to hire for. There was no link at all there. This was not like a phishing thing where they went like, please fill out this form on this website. There was nothing like that. There was no attachment there. I even checked the source of the email. There was nothing really dodgy that I could see immediately going on, unless maybe Gmail filtered it out, which is possible. And it was signed, best regards, the Spotify recruitment team. Again, this is never how this kind of communication would go. But anyway, yes, the thing that was interesting is at the very bottom, it was again included powered by appsheet. So I said, okay, clearly someone has a whole pile of emails of folks like me who have worked in marketing at some time, and they're sending a whole bunch of bulk emails out through Appsheet and hoping somebody will bite. But again, I was like, where is this? Like, I know this is not real, but what exactly is the scam here? How is this playing out?

C

Can we. Can we stop for a second? Because I have an ignorance hole that needs to be filled here.

A

Sure.

C

What is Appsheet?

A

Okay, great question. So I didn't know that either. So I actually went to their website and it's. I'm going to really nutshell it. It sounds like it's a service that allows you to automate a whole bunch of processes. Um, so if you want to do like, hey, I want to send a whole bunch of people an email, you can automate that through this thing and you can build, I think, build like little tiny apps that way. So an automation process thing is sort of my understanding. It's a. It's a legit tool. It's a completely legitimate tool.

C

Okay.

A

It, to me, it sort of reminded me of Zapier a little bit, but not quite. But I'm sure somebody who uses this heavily will be able to correct me. But it's a completely legit tool. But yeah, again, I. No job offer would be coming this way. So I was trying to figure out, like, what exactly is the scam here? Aside from this is obviously a fake job? Like, how are they trying to get me and what are they trying to get me into do? Like what, what are they trying to hook me in? So I, I did a little redditing because I just really was trying to figure out who else has seen this. This cannot. This I know is not new. And I was reading through the comments on the scam subreddit of this exact same scam. And actually Myan Plout, who's been on hacking humans, our colleague at N2K, Dave, she's also received a variant of the scam, which I thought was very interesting because she and I sort of are in the same marketing world a little bit. And so somebody who actually fell for this scam wrote down how they got hooked. And apparently if you respond to this email, even though it's a no reply, somehow if you respond to it, there is somebody who, maybe not on the one that I have, but somebody somewhere is responding to the emails that are being sent blindly to unsuspecting folks. If you respond that you are interested, they forward you information about setting up a call. So again, if you're a job seeker, this might sound really promising. And when you go to the site to arrange a call, I imagine it's probably something like a. That might look like a calendly or some kind of service like that. It will list all potential job openings at Spotify. Again, this is not legit, but it will look like it. And then it'll ask you to log into your Facebook or create an email account. And then after trying to create one, create an account via email, it redirects you to a forced Facebook login page, still with the fake job URL at the top. So this is very odd to me that the whole point of this scam is to try and I guess harvest legitimate Facebook credentials. I'm not, I don't. I'm. That was the only thing I could find in the thread of people who got this who actually sort of went down the rabbit hole of following the Scam. It feels like a lot of work to go after people potentially who are looking for jobs to just say, I'm just trying to steal your Facebook creds. But in theory, I suppose those could be creds that are reused in other sites and that could help them validate that this is a real contact. That would be my guess. But I just sort of wanted to put out an FYI for people if they are getting weird outreach, especially if they're looking for jobs, especially if it's Spotify wanting to make you a fiscal president. Obviously, be careful. But even. Especially when the scam is not obvious, there is something down the line and in this case, apparently some sort of credential harvest either through Facebook or email. So please be careful.

B

It makes me wonder what the comparative value is of different Facebook accounts. In other words, anybody can spin up a Facebook account and that probably has very little value. But let's say you took my Facebook account, which has been active for over a decade.

C

Right.

B

And has thousands of contacts and photos and all sorts of things that make it.

A

Yes.

B

A legit account. Right.

C

Or if you're a.

A

So my guess is if. If you're a marketing person like me, you probably have admin access to a lot of company pages that you've been an admin for. So if they hijack your Facebook account, you now have access to a whole lot of other stuff. In theory. Although a lot of higher up companies, they don't. They operate differently. There's other processes to prevent something like this happening, but not always. So, yeah, someone could go, hey, I now have access to your Facebook account, which you use to log into all of these different companies and manage your social media. So that certainly for me, like 10 years ago, that was how we did this kind of stuff. But I don't do it that way anymore.

B

Right, right. I guess there are still some places that allow you to use Facebook as your single sign on. So the places you go, say log in with your Facebook credentials, which I would never do, but you can do it.

A

Certainly not for a job. Yeah, no, no, no.

B

I just mean like in general, like once you have someone's Facebook credentials, could you use that to get into other places?

C

I imagine, absolutely.

A

It was very popular back when that first rolled out Facebook single sign on. But I feel like most of us have moved away from that.

B

Yes. They were one of the first to offer it and I think it was like right in the crossover between when that sort of thing was being offered and people were realizing that Facebook has no Moral compass.

C

Right.

A

And the integration doesn't always work very well. And, you know, if you get locked out of your Facebook account now, you can't log into anything. It's that whole thing.

B

Right, right. It is remarkable how good this email is. I don't see any particular red flags in the grammar or the formatting or anything like that.

A

Exactly.

C

The one red flag I see is the beginning is, I trust this message finds you well and in excellent spirits. Which smacks to me of AI writing.

B

It or a translation.

C

No. Whenever I have ChatGPT, write a letter, or whenever I've done this, the opening line is, I trust this message finds you well. For some reason, it always opens with that. And when I was working at Hopkins, I would get emails from students that always started with that sentence, like, over and over and over again. And I'm like, why are they all doing. And it occurred to me, oh, these guys are just using an AI to write me a letter.

B

Yeah.

C

So, huh.

A

I wouldn't object to an email that's AI written for something like this, like a job outreach, where clearly it's a lot of different people. But again, I didn't even have to open it to know that this was fake. Cause again, nobody's reaching out blindly for a vice president role, especially one that I am wholly unqualified for. But again, it's just. This is not how. This is just not how this works.

B

Don't sell yourself short, Maria. You could totally. You kill it in this job.

A

In a sector I have never worked at. Oh, yeah, I would totally rock this job.

B

Where's your sense of adventure?

A

Oh, my God. How to Tank Spotify Social Media. Hire me.

B

Right, right, right. All right, well, very interesting. I guess there's no link to share on this one because this one came directly to you.

A

It landed right in my inbox. So we have a link to the.

B

Yeah, we do have a link to the Reddit thread. The Reddit thread that relates to this. So we'll include that in the show notes. All right, Joe, you are up. What do you got for us?

C

I got two this week because they're short. The first one comes from Matt Schooley, who is at WBZ News. It's a cbs. Oh, yes. Oh, that's right, because this is actually up in. Up in Massachusetts where this is happening. This is a story. The headline is Uber drivers help end scam targeting hundreds of grandparents. U.S. attorney says so. Are you familiar with Leah Foley, Maria? She is the U.S. attorney for Massachusetts.

A

Yeah, I've heard her name. Yes.

C

Okay. So she has, she and law enforcement have arrested or charged, I think 13 people, and they've arrested nine of them. Four of them are still on the loose, two of them here in the States and two of them in the Dominican Republic where they think this scam was being run out of. But this was a grandparent scam that was using Uber to either deliver, deliver the money to the scammers or pick up the grandparents and take them to the bank, then take them to take the money to the scammer. So the average victim of the scam was 84 years old and the total amount of money that was lost surpassed $5 million.

B

Wow.

C

There's something like 400 victims that they know about. 400 victims from 50 states. So here's what's interesting. The way this became known to the FBI is Uber reported it because Uber is frequently used as unwitting courier in this kind of scam. So a couple of months ago we were talking about how Uber drivers are used to deliver things and I had told you I have a friend that is an Uber driver and he was, did a courier, a courier thing once. Only once. He only did it once because he was almost positive what he did was, was facilitate some kind of crime. Oh, so there is now. It wasn't, it wasn't a scam crime like this that he was, he was part of, he thought it was something else. That's all. I'll say.

B

Yeah.

C

But what they did was they started noticing that a lot of people, or there were a few people rather, who were sending out courier pickups for a bunch of different, different locations or they were ordering rides. And that's kind of unusual. So it kind of sticks out like a sore thumb. In the Uber, in the Uber data set. So they notified the FBI and FBI. The FBI investigated and they wound up arresting all these people, which is, which is great. And they still have four people to arrest, including this one guy whose name is Rantsel Saint Arvin Calvarez Jimenez. And there's a picture of him in this article with a mad stack of cash that is allegedly resulting from these scams. His ill gotten gains. His ill gotten gains, Right.

B

He's like, look at all this money.

C

I took from old people posted on the Internet.

B

Let's create some evidence.

C

Right, Exactly.

A

Oh, they're not always the smartest, these criminals, are they?

C

I cannot tell you anytime there's something kind of mischievous going on and somebody pulls out their cell phone, I said, no, that's evidence, don't do that.

B

Right. Oh my Goodness.

C

I'm not worried about law enforcement evidence. I'm just worried about, you know, maybe. Maybe my wife is like, why are you doing this?

B

Right. You know, and how did it end up on the Internet?

C

Right. Why do you have this Gasol and the. And the f. In the fire pit?

B

Yeah.

C

Right. So it's. It's more me protecting myself from somebody finding out I did something incredibly stupid. But that's. That's my first story, my second story. And we haven't. You know how last week I said we haven't had a pyramid scam story in a while? Yeah, Well, I. It's. It's not a pyramid scam. I'm really still looking for a good one. But it is a. It's a. It's a. It's an in person scam. This is out in Northern California. It's called the cash drop scam, which is kind of like the pigeon drop scam. Yeah, but this is where somebody walks up to you and says, hey, did you drop this $20 bill?

B

Hmm?

C

Now, I don't know about you, but whenever anybody asks me that, I immediately go, no, because I don't carry cash at all.

A

Okay.

B

Okay.

C

I just don't. And I've always had this policy of rigorous honesty where things like that have. Have saved me from getting in, not getting scammed, but, you know, getting. Well, I mean, having pranks pulled on me, you know, having you having somebody say, hey, did you drop this money over here? And then you go over there and something terrible happens to you. Like, you know, maybe you. You walk into a room that has a bucket of water on the, on the, on the door, and I would just say, no, I don't. I don't have any money. I don't carry money around. So it wasn't my money.

B

Pull my finger.

C

Right.

A

I was wondering if the scam worked. Like, you know, there's a little fishing line attached to the $20 bill, and as you go to reach it, someone's pulling it away from you, and you just keep chasing after it.

C

Right. And then they hit you with a club when you go around a corner.

A

Yeah. I was like, hey, you dropped that money. But that's where my mind goes. I would pay.

B

I would pay $20 to see Joe chasing after a $20 bill on a fishing line.

A

But he doesn't carry cash, so, no.

C

I don't carry cash.

A

What would he do with the 20?

C

I would be thinking, hey, I just found $20.

B

Right?

C

That'd be cool.

B

And then I would win a hundred Thousand dollars on America's Funniest Home Videos, Right?

C

I did one time fall for the quarter glued to the floor trick one time.

B

Oh, yeah, sure.

C

It's just a quarter. And I bent down to pick it up, and, like, a bunch of kids started laughing at me. I was like, yeah, good one. And did you split your pants?

B

No, that would have been perfect.

C

Hilarious. They were all like, I got you. I'm like, yeah, yeah, you got me. Bye. Okay, so now the way this works is these guys actually kind of watch you withdraw money from an atm. So they. They go up, they. They get your ATM pin, and then they watch you withdraw the money, and then they say, hey, you dropped this money. And then they're also kind of pickpockets. So they will either take your ATM card or replace it, swap it out, and then they just go and they make a withdrawal to, you know, to all your. To your account. So there was a. The way this was found was there was a loss prevention agent who was at a local business who noticed that there were these two people out there milling about constantly and talking to people. And he reported it to the police, and the police came in, found out that they were scamming people and arrested them.

B

Hmm.

C

And they're both now in custody. And they are. They. When. When they were asked for identification, they showed Romanian passports. So when they were arrested, they were found to have multiple felony warrants for fraud, identity theft, conspiracy, and caretaker embezzlement slash elder abuse.

B

Oh, wow.

C

So these are just not just two scammers out in the parking lot. These are serious people that make their living doing this.

B

Right. Professional scumbags.

C

Right. Exactly. So, I don't know. My only advice here is that if someone walks up to you and says, hey, did you drop this money? You know, put your hand in your wallet or something?

B

Right, Right.

C

And I, you know, I. I don't like using ATMs, but when I do, I'm. I'm always. I always make sure that I'm the last guy in line. You know, if somebody. If somebody comes up behind me.

B

Okay.

C

I just stop what I'm doing and I go, why don't you go ahead, little old lady who's probably gonna pull a stick out of her bag and hit me with it. Take what I'm gonna get out. Yeah. I don't know. I'm very suspicious. I don't trust anybody, Dave. No way to live.

B

I usually use my grocery store as my ATM if I need to.

C

Yeah, that's a good policy.

B

Yeah.

C

Yeah. You Get a little extra money out when you buy something.

B

Yeah. Big public place, you know.

C

Yeah.

B

They typically ask, would you like some cash back? And I'll say, yeah, sure, why not? It's mine after all.

C

And yeah, Hannibal Burry says a great bit about that where he says, some people will get cash out when they buy something, but I like to return the thing I bought right after I get the cash out. Yeah, I'd like to return these Skittles. My receipt is actually still in your hand.

B

Okay.

A

I feel like I'm missing something with that.

B

Oh, you have to buy something to.

C

Use to use it.

B

Right, I see. All right, I'm with you now.

C

And it's a transaction fee. Free atm essentially is what he's doing.

B

Right, right, right. Gotcha, Gotcha. All right. We will have links to both of your stories in the show notes. We're going to take a quick break here to hear from our sponsor. We'll be right back. And now back to our sponsor, Threat Locker, the powerful zero trust enterprise that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allow listing, ring fencing and network control. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source, IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class endpoint protection from Threat Locker. And we thank ThreatLocker for sponsoring hacking humans. And we are back. My story this week comes from a couple of sources. We've got. The folks over at bitdefender actually initially brought my attention to this story, but it was also reported by the sun from the uk and this is actually about a reporter for Good Morning Britain, which I guess is like Good Morning America, only smaller.

C

Yes, much smaller. Metric.

B

Right, Right.

C

No guns.

B

Yeah. And free healthcare. So Good Morning Britain's North American correspondent named Noel Phillips. He went public with his own personal story. He lost his life savings, which in his case was about £22,000 pounds. And Noel is a young guy, so just kind of getting started in life and had managed to tuck away nice little nest egg for himself.

C

Pretty good for a young man.

B

Yeah. And it started when he got a call from Chase bank warning him that his account had been compromised. The number matched up with what he had in his phone from Chase Bank. And so he didn't answer that call, but he called them back and he thought he'd reached customer service, and he had not.

C

So how did. Wait, now I'm confused.

B

Don't ask too many questions, Joe, because I'm not going to be able to have the answers to them. So once these folks engaged with him, somehow they were able to get inside of his banking app, or to, I guess I should say to trigger a notification from his banking app showing a payment that he had not made. Okay, so this freaked him out. He was like, what's going on here? I just got a call from my bank. They said my account has been compromised. Now my bank app is telling me that there's a problem. And he is on the phone with the scammers as all this is happening. But he doesn't think they're the scammers. He thinks they're the bank. So he rushes to his local branch, and the people on the phone with him persuade him to transfer his savings into safe accounts. And I'm putting safe accounts in air quotes.

C

Right.

B

That they say are in his name.

C

So is this a branch of Chase Bank?

B

Correct. He walks into a branch of Chase Bank. Now, the scammers convinced him that the people at the bank were in on the scam. And so he should not tell the tellers what's going on because they're in on it.

A

Wow.

C

Okay.

B

Right.

A

Oh, my goodness.

B

So he goes to the local bank, transfers this money that he thinks is transferring to safe accounts. He believes that the security folks from Chase bank are on the phone with him. He gets all this done and his money is gone.

C

Right.

B

And Chase bank tells him that they can't recover his money because they don't know who the criminals are. An interesting sort of wrinkle to this story is that in the son's version of this story from the uk, they had to point out that because banking laws are different in the US he can't get his money back. In the UK he would have gotten his money back. Oh, right.

C

This was a bank in the U.S. yeah.

B

So he's the North American correspondent for Good Morning Britain.

C

Right, so here's my question. Does Chase bank not follow the know your customer regulations? Because these were accounts that were open to Chase Bank.

B

Yeah.

C

Right. So they.

B

Well, which accounts? The safe accounts.

C

Yes, the safe accounts.

B

I think the safe accounts were just random accounts at some other bank that he routed his money to.

C

Oh, okay. So they weren't Chase bank accounts.

B

Yeah, I Think the fraudsters convinced him that these were safe accounts and that they were with Chase, but they were not. I'm guessing they were with some other bank, you know, halfway around the world.

C

Could have been.

B

So he did not get his money back because he was the one who put all this into action. Right. He walked into the bank and he's the one who transferred it. So it's his. The way the rules are written for us here in the us he's responsible for that action. He said that he felt embarrassed, ashamed and worthless after being victim.

C

I get it.

B

Yeah.

C

And, you know, last week or two weeks ago, I talked about how I fell for a phishing email.

B

Right.

C

And felt very much the same over something small and stupid like a phishing email.

B

Yeah.

C

I cannot imagine how I would feel over 22,000 pounds. What is that in dollars?

B

Right. What's that in real money?

C

Right.

A

You know, it's under 30k, which is a lot of money. I mean, still.

C

I mean, 30k is a lot of money.

B

Yeah, yeah, yeah, yeah. No doubt about it. So in terms of red flags to share with your friends and family, I mean, obviously an incoming call from your bank automatically should be a red flag.

C

Right.

B

You should call your bank back, but use a number you know is the bank. Right. And you know what? It's. So it's frustrating how detailed we have to get with this because now we have to tell people, don't Google the phone number of your bank.

C

Right, Right.

B

Because it might not be the number.

C

For your bank that comes back paid ad that the scammers have bought.

B

Right.

C

Targeting you. They want to target you. So when you get the number, get.

B

The local number for your local branch. Right. But look at this case. He physically went to his bank.

C

Right.

B

He got in his bank. Right.

A

Because he did. Yeah. He didn't say what this was about because he'd been told that the bank was in on it. I'm sure. Had he mentioned what this was? The bank's been trained to tell people, hey. Like, hey, that's actually a scam. Let's maybe slow down. But he didn't say anything because he was primed not to.

C

Right.

A

Yeah, That's. Oh, that's. So now that, now this, the criminals are trying to work around that.

C

Yep.

A

I am wondering, genuinely wondering, given that he has a sort of public profile job, did his employer train him at all and saying, hey, because you have a high profile job, you might be getting targeted in scams that are going to go after you like this. I'm. I'm wondering because that, yeah, again, anybody can get hit by a scam like this, but yep. Especially if you're regularly appearing on tv, this feels like something that your employer should be maybe going a little bit out of their way to tell them. Be very, very vigilant.

B

Right, Absolutely.

A

I just wonder. Yeah, right.

B

Yeah.

C

I think the way this, I don't know, I'm not familiar with exactly with how these anti fraud things should go, but when you get a call from fraud prevention, you should be able to say, that's not me, lock it down. And you shouldn't have to take any other action. Yeah, they're the bank, they're the bank security department. If they are calling you. Cause fraud prevention will call you.

B

Right.

C

And when they call you, they say, hey, was this you buying? You know, buying, I don't know, $100 worth of chickens attractor supply?

B

Because that couldn't be a traditional man would do such a thing.

C

And I have to.

A

Isn't it interesting though also that we sort of have become primed to think that if there's a mistake that was like that, it's on us to fix it and that the banks will do nothing to help you. And I think that's also maybe a panic that's spurring people to take these actions that end up hurting them in the long run. Because think about it, if you get a call, they're not going and we'll fix it. We just called you to make sure these scammers are going and it's your job to fix it. Which. And everyone's going. Okay, that makes sense.

C

Right?

A

So no customer service.

C

Yeah, that's.

A

Yeah, yeah.

B

I may have mentioned this before. A few months ago I was chatting with a friend of mine who's a commercial banker and he was saying just what a huge amount of his time every day is taken up dealing with scams.

C

Right.

A

I can only begin dealing with scamming.

B

It's a gigantic problem for banks. Yeah.

C

I don't know. I think the answer here for the bank is to not conduct any transactions with somebody that's on a phone. You know, just look at him and go, we can't conduct any transactions for you when you're on the phone. Sorry.

B

Oh, oh, right. If you're, if you're, if you're on.

C

The phone, we can't help you.

B

So interesting wrinkle to this. They actually mentioned in the story that he had an earbud in his ear.

C

Okay.

A

Oh, one of those AirPods.

B

Yeah, like an AirPod. So he was not holding the phone up to his ear. But you're absolutely right, Joe. And I would imagine that by this point that bank tellers are trained for that. They would say, I'm sorry, would you mind putting down the call? And that sort of thing. Because to the bank's credit, the tellers are trained to look for these scams, no doubt about it, and certainly have helped save people from it.

C

Right. Because it is much easier to tell someone that's a scam, your money's fine, than it is to have to respond like your friend does to the. I've now lost £23,000. What are you going to do about that?

B

Right.

C

And now you have to get legal involved. Right?

B

Yeah.

C

That's not going to be cheap. So, I mean, if I were this guy, I think I'd just start making them pay £23,000 or 20, you know, whatever to somebody else. And I'd make it clear I'm just going to cost you £23,000 in, like, legal fees. So it's cheaper for you to give me back my money or I'm going to continue to just file these lawsuits against you. Because I can go down to court and file lawsuits against you all day. I'll learn how to do it.

B

It's good to have a vindication.

A

You would, Joe.

C

Yes.

A

And I know you would, Joe. I'm imagining from the bank's point of view, they're going, you made a transaction that you later regretted, but you did it knowingly. That is not our problem. I'm sure that that is what the bank is saying, and I hate taking their side on this, but I'm just imagining.

B

Yeah, I'm imagining Joe, much like the person in your story called the police about the person hanging out outside of the bank.

C

Right.

B

That the similar thing would be happen. They call the bank and they'd say, there's a guy who's hanging out in front of the bank every day, all day. And they'd say, oh, that's just Crazy Joe Kerrigan.

C

Crazy old Joe Kerrigan.

A

Crazy Joe.

B

Yeah. He wired all of his money to somebody and now he's made it his mission to. He's warning everybody on their way in to not do business with us. But, yeah, he's harmless. He's harmless.

C

Mostly harmless.

B

Yeah. Just don't make eye contact.

C

Don't make eye contact. Don't make any eye contact.

A

Yeah, Just super annoying. Harmless, but super annoying. Yeah.

C

Largely describes what I am.

B

Yeah. All right, we'll have a link to that story in the show Notes Joe, Maria, it is time to move on to our catch of the day.

C

Our catch of the Day comes from Patrick who sent in an email from the International Monetary Fund. Dave, IMF if you will.

B

All right, it goes like this. The International Monetary Fund is compensating all the scam victims with some of US$9.8 million and your email address was found on the list. This office has been mandated by the IMF to transfer your compensation fund to you via MoneyGram Money Transfer. However, we have concluded to affect your own payment through MoneyGram Money Transfer. US$5,000 per daily. Until the total sum of US$9.8 million is completely transferred to you. We cannot be able to send the payment with your email address alone. So we want you to get back to us with your full information. We where we will be sending the funds to you director, Mr. W. Alexander Holmes. We will give you direction on how you will be receiving the funds daily. Remember to send us your full information to avoid wrong transfer through Mr. W. Alexander Holmes. He will send $5,000 in your name today. So reply these email ASAP or text him with your full information as soon as you receive this email and tell him to give you the MTCN. Send their name and question answer to pick the $5,000. Please let us know as soon as you received all your fund. Note that your payment files will be returned to the IMF within 72 hours. If we did not hear from you, this was the instruction given to us by the imf. He will start the transfer soon as he received your information. Thanks. Best regards, Reverend Father Patrick Smith, MoneyGram agent.

C

Good old Father Patrick Smith.

A

You know, Reverend Father Patrick.

B

Reverend Father works.

C

Right, Right.

B

I should have done his. Reverend Father Patrick o'. Malley.

C

Right?

B

Yeah. You know, I mean, look, priests aren't paid very much, so he's got a little side hustle going on.

C

So here's the thing. $9.8 million at $5,000 a day will take you over five years to get that money.

B

Oh, yeah.

C

I mean, that's every day I'm gonna send you $5,000. Oh, that sounds miserable. I don't wanna do this every single day. That's if I do it every day for the next five years, 365 days a year.

B

Yeah, I'd be okay with it.

A

Yeah. I would definitely. I would knuckle down and do that.

B

Yeah. Honestly, I could find the energy to make it happen. Sure.

A

5K a day from Reverend Father Patrick Smith from the Church of Cold Hard Cash. Yes, I would do that.

B

Yeah. Yeah. Does that include weekends, Joe?

C

Yes, that's with weekends. You get no vacation, Dave. You can't go anywhere.

A

What about Sundays?

B

Sunday?

C

Yeah. Well, Father, he's going to say mass and then he's going to go to the Money Grant place.

B

That's right. I mean, he's going to expect you put his little something in the plate when they pass it around. Because he knows there's no holding back from the good Father Smith. Because he knows that.

C

Now, I expect to see $500 in the offertory play today.

B

Get the old priestly stink eye on your way out of church. Don't want that to happen. All right. Well, that was a good one. We would love to hear from you. If there's something you'd like us to consider for the show, please, please email us. It's hackinghumans2k.com we're going to take one more quick ad break here. We will be right back. Thank you. To ThreatLocker, the powerful Zero Trust Enterprise solution that stops ransomware in its tracks for sponsoring hacking humans, visit threatlocker.com.

C

And.

B

That is hacking humans. Brought to you by N2K CyberWire. We would love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show. Notes. Please do check it out. This episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Buettner.

C

I'm Joe Kerrigan.

A

And I'm Maria Varmazas.

B

Thanks for listening.