Hacking Humans – "Scammers hit the right notes in the wrong way"

Podcast: Hacking Humans by N2K Networks
Date: August 21, 2025
Hosts: Dave Buettner, Joe Kerrigan, Maria Varmazes
Theme: Social engineering, deception, and influence tactics in cybercrime

Episode Overview

This episode dives into recent cyber scams, social engineering trends, and memorable stories from both listeners and hosts. Ranging from clever phishing lures to high-stakes banking fraud, the hosts analyze what makes these cons effective, how criminals adapt, and what practical steps listeners can take to avoid being the next victim.

Key Discussion Points & Insights

Listener Follow‑Ups and Corrections

• AI Naming Correction:
  Joe clarifies a previous episode’s mistake, noting OpenAI is the company, not "ChatGPT."

  • "Last week, I repeatedly referred to the company that makes ChatGPT as ChatGPT. I should have been calling them OpenAI." – Joe [00:51]

• Annoyance with Phishing Variant Terms: Discussion about the proliferation of "cute" phishing terms (quishing, vishing, smishing).

  • "It seems like the only people who like these clever little phishing variants are marketing departments." – Dave [02:17]
  • “If you ask me out of context, what is quishing, I mean, maybe I would guess QR code is involved because of the ‘q’, but it’s just not right.” – Maria [02:24]

• Car Theft Using Stuck Phones:
  A listener shares a scam where criminals stick cell phones to cars to track and steal them, sometimes confronting the victim at their home to retrieve the phone as a pretext.

  • "They’re actually using a phone so they can claim that you stole their phone...a whole thing." – Maria [04:45]
  • "It seems overly complicated yet again." – Maria [04:48]

• Chicken Tractor Tangent:
  Joe lightens things up with updates from his home flock, explaining chicken tractors' roles in rotating grazing (and deterring snakes).

Story 1: Spotify Job Scam Targeting Marketing Professionals

Presenter: Maria Varmazes [11:28–20:34]

• Maria receives a very realistic-looking, but ultimately phony, executive job offer from “Spotify.”
  • "The subject line was ‘Elevate Spotify’s global social media strategy as our next vice president’ sent to me...I was delighted because...that would be absolutely the biggest giveaway ever." – Maria [11:28]
• The scam uses Appsheet to automate mass outreach to plausible marketing targets, avoiding obvious red flags (no bad grammar, no direct phishing links).
• Victims who respond are guided to simulated job processes, culminating in a forced Facebook login – primed to steal credentials, especially for those who may have admin access to business pages.
  • “The whole point...is to try and, I guess, harvest legitimate Facebook credentials.” – Maria [15:08]
• Discussion on why Facebook credentials are valuable, from business access to SSO (Single-Sign-On) exploits.
• Notable social engineering insight:
  • "No job offer would be coming this way." – Maria [14:28]
  • "It is remarkable how good this email is. I don’t see any particular red flags in the grammar or the formatting or anything like that." – Dave [19:08]
• AI’s writing style gives it away ("I trust this finds you well...").
  • "Whenever I have ChatGPT write a letter, the opening line is, ‘I trust this message finds you well.’" – Joe [19:18]

Story 2: Uber Drivers Help Bust $5 Million Grandparent Scam

Presenter: Joe Kerrigan [20:58–24:12]

• Authorities arrest 13 perpetrators running a nationwide scam targeting seniors, using Uber rides to facilitate crimes.
  • “Uber reported it because Uber is frequently used as unwitting courier in this kind of scam.” – Joe [22:15]
• Scheme specifics: Uber was used to ferry money or transport victims; average victim was 84, total theft over $5 million.
• Uber identifies suspicious patterns (multiple pickups from same sources) and alerts law enforcement, enabling arrests.
  • "They started noticing that a lot of people...sending out courier pickups for a bunch of different locations...it kind of sticks out like a sore thumb." – Joe [23:00]
• Notable highlight: Scammer posts photo with stacks of cash on social media, contributing to their arrest.
  • "Look at all this money I took from old people posted on the Internet." – Dave [24:04]

Story 3: The "Cash Drop" ATM Scam

Presenter: Joe Kerrigan [24:12–29:46]

• In Northern California, scammers use distraction and sleight-of-hand at ATMs to swap or steal cards after watching a victim’s pin.
  • "They go up...get your ATM pin...they say ‘hey, you dropped this money’...also kind of pickpockets...take your ATM card or replace it." – Joe [26:06]
• Story unearthed by a watchful loss-prevention agent, leading to arrests. The offenders had warrants for multiple felonies.
• Tips: Always be vigilant at ATMs; check your wallet/cards if approached by a stranger; be suspicious of “did you drop this?” ploys.
  • "If someone walks up to you and says, ‘hey, did you drop this money?’...put your hand in your wallet or something." – Joe [28:18]

Story 4: Journalist Loses £22,000 to Bank Impersonation Scam

Presenter: Dave Buettner [31:39–41:38]

• British reporter Noel Phillips is conned out of his life savings by sophisticated callers spoofing Chase Bank’s info and coaching him into transferring money to "safe accounts" (actually controlled by scammers).
  • "He got a call from Chase bank warning him his account had been compromised...he called them back and he thought he'd reached customer service, and he had not." – Dave [32:17]
• The scammers manipulated call metadata, simulated fraud notifications, and instructed Noel to stay silent at the actual bank, convincing him tellers were “in on it.”
  • "The scammers convinced him that the people at the bank were in on the scam. And so he should not tell the tellers what’s going on." – Dave [34:06]
• UK vs US banking laws: in the US, banks are not obliged to reimburse such losses if the account holder authorized the transfer.
• Hosts discuss emotional fallout, system vulnerabilities, and the necessity of always verifying – and never trusting incoming calls.
  • "It is remarkable how good this email is." – Dave [19:08]
  • "If there’s a mistake...it’s on us to fix it and that the banks will do nothing to help you." – Maria [38:58]
  • "Do not do transactions while on your phone" (as the victim was using an earpiece in the branch) [40:15]

Catch of the Day: IMF Compensation for Scam Victims?

[42:55–46:43]

• Listener Patrick shares a classic 419/Nigerian Prince style email, this time posing as the International Monetary Fund, promising $9.8 million in $5,000 daily increments—if personal data is provided.
  • "The International Monetary Fund is compensating all the scam victims with some of US$9.8 million and your email address was found on the list..." – Catch of the Day read by Joe
• Humor ensues as the hosts calculate the payout would last over five years:
  • "$9.8 million at $5,000 a day will take you over five years to get that money." – Joe [45:09]

Notable Quotes & Moments

• On Phishing Jargon:
  "It seems like the only people who like these clever little phishing variants are marketing departments." – Dave [02:17]
• On Brazen Criminal Posting:
  "Look at all this money I took from old people posted on the Internet." – Dave [24:04]
• On Job Scams' Psychological Play:
  "This is never how this kind of recruitment works...even when the scam is not obvious, there’s something down the line." – Maria [14:28, summarized]
• On Bank Impersonation Scams:
  "The scammers convinced him that the people at the bank were in on the scam." – Dave [34:06]
• On Emotional Impact for Victims:
  "He said that he felt embarrassed, ashamed and worthless after being victim." – Dave [36:01]
• On Personal Security Practices:
  "I have a policy of rigorous honesty where things like that have saved me from getting in, not getting scammed, but getting...pranked." – Joe [25:31]
• Hosts' Joking Around Catch of the Day:
  "5K a day from Reverend Father Patrick Smith from the Church of Cold Hard Cash. Yes, I would do that." – Maria [45:33]

Practical Takeaways

• Be cautious of job offers arriving unsolicited, especially high-level positions or those from generic/non-official emails.
• Never provide credentials or engage in "unsafe" logins prompted by third parties.
• Always verify banking communications using trusted, direct contact info (not numbers from calls or web search ads).
• In physical world cons, use situational awareness: don’t let strangers distract or engage you during transactions.
• If approached with urgent financial instructions by supposed bank security, stop and verify with someone you trust—ideally, directly in person or via the bank’s official, published channels.

Timestamps for Important Segments

• Phishing Jargon Discussion: [01:19–02:57]
• Car Tracking Scam: [03:06–04:58]
• Chicken Tractor Lighthearted Segment: [06:23–10:25]
• Spotify Job Scam: [11:28–20:34]
• Uber Grandparent Scam Busted: [20:58–24:12]
• ATM 'Cash Drop' Scam: [24:12–29:46]
• Journalist’s Banking Scam Loss: [31:39–41:38]
• Catch of the Day: [42:55–46:43]

For more insights and to read discussed articles, check the episode’s show notes on the Hacking Humans website.