Silent push, loud consequences.

Maria Vermazas

You're listening to the Cyberwire Network, powered by N2K.

Dave Buettner

Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner, and joining me is Joe Kerrigan. Joe H. Hi, Dave. And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazas. Maria.

Maria Vermazas

Hi. And hi, Dave. And hi, Joe.

Joe Kerrigan

Hi.

Dave Buettner

We've got some good stories to share this week, and we will be right back after this message from our show sponsor.

Sponsor Voice

But first, a word from our sponsor, KnowBefore. Where would InfoSec, infosec professionals be without users making security mistakes, working less than 60 hours per week, perhaps actually having a weekend every so often? We get it. User behavior can be a challenge, but users can also be an infosec professional's greatest asset once properly equipped. What do we mean by that? Well, stay with us and in a few minutes, we'll hear from our sponsors at knowbefore on that very question.

Dave Buettner

All right, no follow up this week. So I am going to jump right into our stories here. My story this week comes from a organization called Silent Push, which is a cybersecurity company. They do like threat intelligence for folks, okay? And they published a story about a group that they're calling the payroll pirates.

Joe Kerrigan

I'm going to guess what they do. Yeah, tough one, right?

Dave Buettner

They are doing HR phishing scams. So let's walk through how you get scammed by this group. They start off by having some ads that are branded to keywords that they buy in the usual places. You know, your Google AdWords, your Facebooks, all the normal places where people buy ads, right?

Joe Kerrigan

And once again, big tech is more than willing to sell ads to criminal actors.

Dave Buettner

That's right.

Joe Kerrigan

So sorry, everybody. There's a profit to be had.

Dave Buettner

That's right. So what this does is let's say you are working for one of the companies that they target. And for example, Macy's is one of the companies that they target. So you go to your browser, you go to Google, and you do a search for Macy's hr, right? And up pops at the top of your list, the Macy's HR portal. But it is not the Macy's HR portal.

Joe Kerrigan

It is a malicious ad, isn't it?

Dave Buettner

Right, it is a malicious ad, but when you click through, it looks to all the world like it is the Macy's HR portal. And of course they ask you for your login information or. Correct, I should slow down. They ask you to log in to what you think is the Macy's HR portal. And as you enter your information, meanwhile, they are actually entering the real Macy's HR portal. This research says that they likely take that information that you gave them and then they combine it with information they're able to gather elsewhere on the web. For example, your Social Security number, your address, you know, the things that the legit HR organization would use to try to verify that you are actually who you say you are.

Joe Kerrigan

Right. I'm going to talk about something similar to that in my story today.

Dave Buettner

Okay.

Joe Kerrigan

But go ahead.

Dave Buettner

So once they get your credentials and they are into your HR account, they start changing things. And the main thing that they are after here is your bank routing information. So they will go into your HR portal, they will change where your payroll is routed to, because most people do direct deposit these days. They will route the money to a new location and then they sit back and they wait and the payroll happens and your money goes to their bank account. And it probably takes you a little while to figure out what's happening. And by that time they're gone, they've got your money and they're on their way.

Joe Kerrigan

They've pulled it out of the bank because it's not a big amount. Right. A paycheck is not a difficult amount.

Dave Buettner

Of money to move around, all things considered. That's right. That's right. It doesn't.

Maria Vermazas

Yeah. For a financial.

Dave Buettner

Yeah, right. Yes, yes. A single payroll doesn't throw up a lot of red flags on its own. But if you can do this at scale, then you can make a lot of money.

Joe Kerrigan

I'm talking about the money mules. Right. So you can send a money mule out like let's say your paycheck is $2,000. A money mule can pull that out of an ATM or a couple ATMs and quickly.

Dave Buettner

Right, right. Yeah. That's good.

Joe Kerrigan

They can move it.

Dave Buettner

That's true. It makes it a lot easier to launder that money. Yeah. Interesting. So the couple other bits of information about this group, infrastructure wise, they're making use of a lot of the common registrars like namecheap and some of the inexpensive registrars for the domain names. And they register domains that look legit, esque from at the outset. Right. With the companies that they're trying to target. So how do we protect ourselves against this sort of thing? Well, of course, Vigilance. Easy to say. I would say you know, never. I mean, never click on an ad.

Joe Kerrigan

Yeah, that's. But that's almost impossible, especially with the social engineering that Google and Facebook do. Well, particularly in this case Google, because that's where you're going to get these ads. You know, in fact, I have found myself using Google less and less. I am starting to use Bing as my search engine.

Dave Buettner

Wow.

Joe Kerrigan

And what do you mean, wow? Are you saying that's not any better?

Maria Vermazas

It's just one of those phrases you just don't expect to hear.

Dave Buettner

Right.

Joe Kerrigan

And I can't tell you why. It's just. I have the feeling, I mean, for a couple reasons. One, when I enter Google search results into Google, I get these ads that are just intrusive. Like the first five search results look like ads like Google has gone ad crazy with all their products. Like YouTube is a miserable experience if.

Maria Vermazas

You don't have YouTube Premium, which I don't.

Joe Kerrigan

So when I go to Bing, I don't get accosted with as much. And it seems to me the ads are better defined by Microsoft than they are by Google. Also, the search results are better.

Dave Buettner

Have you tried DuckDuckGo?

Joe Kerrigan

I have tried DuckDuckGo. Search results not as good. Although they're using just Microsoft's search engine.

Dave Buettner

They're using Bing. Yeah, yeah, yeah.

Joe Kerrigan

So I don't know why they're not as good as Bing. I like Bing better.

Dave Buettner

Okay, fair enough.

Joe Kerrigan

But yeah, that's where I am with this, is I've kind of started to make the switch.

Dave Buettner

Yeah.

Maria Vermazas

Bring back Ask Jeeves. That's what we need. We just.

Dave Buettner

We all went sideways.

Maria Vermazas

We get rid of our butler.

Dave Buettner

That's right. I think one of the issues here is that a lot of folks. I was going to say unsophisticated Internet users, but I don't think that's fair anymore at this point. What does that really mean?

Joe Kerrigan

Right.

Dave Buettner

But a lot of people think of Google as being the front door to the Internet still.

Maria Vermazas

That's true.

Dave Buettner

And for a lot of people it is. So if they're looking for anything, they just go right to Google and. Because traditionally that works. But when these folks are able to buy their way to the top of the search results and Google doesn't do a great job filtering out these ads that appear to be from legitimate organizations, you say you gotta be really vigilant because they are labeled as ads, but it's not in your face.

Joe Kerrigan

It is not. It's very subtle.

Dave Buettner

Right.

Joe Kerrigan

Google has a financial incentive for you to click on that link.

Dave Buettner

Yeah.

Joe Kerrigan

They get Paid more when that happens.

Dave Buettner

Yeah, yeah.

Maria Vermazas

And it used to be that if you went. Went to a fishy website a while ago, you would sort of have a spidey sense of this website looks scammy. It doesn't look as well put together. But now with the. I hate to say the phrase, but I've got to the in credification of everything. The professional services that we're all sort of used to are not looking as professional as they used to. A lot of good websites don't look as good as they should. I don't know. You just. The bar has been so lowered in a lot of things that that spidey sense of this looks scammy. A lot of things set that off. Nowadays it's kind of harder to discern what's real and what's not even if you're really paying attention for it.

Dave Buettner

Yeah, I agree. I'm trying to think like from the HR department's point of view, the kinds of things they could do to help lock this down more obviously. Education, telling people, don't go searching for our HR portal on Google. I mean, try to make it as easy as possible for your employees to use the internal web portal and then just lock that puppy down. You know, I mean, if there's ever a place to have robust multifactor authentication, I would say hardware keys.

Joe Kerrigan

Yep. Every new employee gets two.

Dave Buettner

Yeah.

Joe Kerrigan

Just give them to them.

Dave Buettner

Right, right. And require them for your HR stuff. Why not?

Joe Kerrigan

There's no reason to not. Except for the cost of like $90 per person for hiring.

Dave Buettner

Right.

Joe Kerrigan

It's not that big of a cost per person.

Dave Buettner

Right. Any other thoughts here for how folks on the HR side might be able to help their users keep this from being a problem?

Joe Kerrigan

Well, they could buy ads from Google, Dave, and put the legit side up.

Dave Buettner

Right.

Joe Kerrigan

And that's probably Google solution.

Dave Buettner

We hate that.

Joe Kerrigan

You know, isn't that nice? Wouldn't it be nice if you just bought some ads from us and then your employees wouldn't be getting their. Their paycheck stolen like a.

Dave Buettner

It's like a mob.

Joe Kerrigan

Right.

Dave Buettner

Hey, it's a nice HR department you got here. It'd be shame if somebody were to buy ads and get to get access to it.

Joe Kerrigan

Right, Exactly. That is what you're dealing with.

Dave Buettner

Yeah. Wow. This is where we are.

Joe Kerrigan

We're still waiting for that big ad contract here on the cyberware from Google. Right. That's never going to happen.

Dave Buettner

I think it's not going to happen. No. You know what's funny is one of the articles I was reading about this, about this kind of thing, pointed out that it's not that Google is doing nothing. They said Google has removed literally billions of fraudulent ads a year.

Joe Kerrigan

Right.

Dave Buettner

And millions of accounts. But this just can't keep up. It's just.

Joe Kerrigan

It's whack. A mole.

Dave Buettner

Yeah.

Joe Kerrigan

These guys can just spin up new accounts very quickly and very easily.

Dave Buettner

Right, right. And as you say, Joe, I mean, it's. They're dealing with perverse incentives.

Joe Kerrigan

Yes.

Dave Buettner

Yeah. All right, well, we will have a link to this story in the show. Notes. This is some research from the folks over at Silent Push, who, of course, they are happy to sell you a solution to this problem.

Joe Kerrigan

Of course they are.

Dave Buettner

But. But the research itself is quite interesting. All right, let's move on. Joe, what do you got for us this week?

Joe Kerrigan

Dave, you remember a long time ago when I said I felt left out because I never got any scam text messages?

Dave Buettner

Yeah. Nobody loves you.

Joe Kerrigan

Right. I regret saying that, Dave.

Dave Buettner

Oh, my.

Joe Kerrigan

And I want to be. I want. Yeah, I know. I want to feel like I was. Like, I'm left out again. So I got the first one of these. First off, I've been getting all kinds of scam packages, scam package delivery, text messages. I said that totally wrong. You know, the USPS ones that are obviously just links or Amazon. Here's a link. And Google has done a pretty good job. I'm going to say this about Google. We just got done bashing them. But I do pay Google for my phones, and they have done a pretty good job of keeping that kind of stuff out of my inbox. Well, I got one when I was down recently. I went down to Texas and I got one that was somebody doing this wrong number text thing. Right. And she starts. She? I say she. Like, it's really a she. It's probably not a she, but this person starts texting with me and calling me by some wrong name, and I'm like, nope, I'm sorry, you have the wrong number. And then we carry on this conversation. Eventually I'm like, I start saying, yeah, well, I'm not in Maryland right now. I'm in Texas. And I'm out here hog hunting and coyote hunting. And it was fun for a while, but eventually I stopped. But at some point in time, this person sent me a picture of a very attractive young Asian woman. Which is interesting because yesterday as I was leaving my office, I got another one that says, hey, are you still in Maryland? And I'm like, well, that's weird, because this is not the same number. And. But this one said, hey, Joseph, are you still in Maryland? That's why it got my attention.

Maria Vermazas

Oh, interesting.

Joe Kerrigan

And I responded, who is this? Because I don't know, maybe it's some. You know, I get a lot of calls from recruiters from time to time, and it seems to be that those are ticking up right now. I'm getting people from recruiting companies trying to contact me, and I'm not looking for a job, so I try to avoid talking to them. But that's what I thought it was, was a recruiter. So I said, who is this? And then I get the long intro. Oh, it's me. I met you from this place. Don't you remember? We had dinner together. And I'm like, no. And they sent me another picture of a different young, very attractive Asian woman.

Dave Buettner

Right.

Joe Kerrigan

And I'm wondering, why is it always Asian women? Maybe that's the source. You know, maybe that's where it's coming from. I don't know. I don't know if there's anything significant about that at all.

Dave Buettner

There may not either. But you're right. I mean, that's. Whenever you see these people doing screen grabs of these. That is pretty consistent.

Joe Kerrigan

Right. So I just ignored that one and put. Sent that one to spam. I just don't have time for this anymore. My point here is the second one actually got me, even if it was only briefly, they got me to respond and engage. Right. I didn't hit it off. I didn't get it as a scam right away because they came in, they had my first name, which is what I was talking about earlier. My phone number and name are probably out there in some scammer system with a bunch of different things. By the way, I told the people that the one I was talking to when I was in Texas that my name was Butch, and she asked for a picture of me, and I just googled redneck with a shotgun and sent the first result.

Maria Vermazas

Wow.

Joe Kerrigan

Pretty. Pretty good.

Dave Buettner

I googled redneck with a shotgun, and darn it if my picture didn't.

Joe Kerrigan

This looks remarkably like me with a shotgun.

Dave Buettner

The truth hurts. Wow.

Joe Kerrigan

This, I'll tell you, Dave, the picture is not that far off. If I had a beard, wow. Could easily have been me and was a little younger. Yeah. So. So, I mean, this guy was exactly the same build as me.

Dave Buettner

Okay.

Joe Kerrigan

So, yeah, it was a little bit like, wow, maybe I shouldn't have Googled that.

Maria Vermazas

A lot of monkey paws just curling in this story. I'm just hearing It.

Joe Kerrigan

All right, so we'll have to ask later what that reference means.

Maria Vermazas

I don't get the monkey paw, the fingers. You were doing things with unintended consequences.

Joe Kerrigan

Oh, oh, oh, oh. Okay. Yes, I get it. Yes. Like the monkey paw wishes. Yes. Right.

Maria Vermazas

Got it.

Dave Buettner

You call yourself a Simpsons fan?

Joe Kerrigan

Oh, the Simpsons fan. No, I know the Simpsons.

Dave Buettner

Maria.

Joe Kerrigan

I wish I had.

Dave Buettner

Am I right, Maria? Am I right? Yeah.

Joe Kerrigan

So a lot of unintended consequences. Anyway, my point here is I was wondering what these scams are. What's their end game? What is it? And I looked around today, and I found a company called themermack.com, it's actually a community bank, and it's up my way.

Maria Vermazas

I live in the Merrimack Valley.

Joe Kerrigan

Okay.

Maria Vermazas

It's a river.

Joe Kerrigan

Do you know Merrimack Community Savings Bank?

Maria Vermazas

Not personally, but it's a thing that exists in the area that I live in. Yep.

Joe Kerrigan

Okay, well, they have a nice story here. Or like a little don't get caught by this scam kind of thing. It was posted on October 17th. We'll put a link in the show notes. The wrong number of tech scams are on the rise. And what it is is it's the. They'll strike up a conversation with you after you've established that it's a wrong number, and then they try to lure you into some kind of scam. And this could take weeks or months to do this. So they're patient. They are willing to do this. So how to protect yourself? They say, ignore texts from people you don't know. By responding, you're letting the scammer know your phone number is active and you could be receiving more texts.

Dave Buettner

Which happened to you.

Joe Kerrigan

Exactly.

Dave Buettner

Well, that's what I was. I was gonna give you a little hard time, Joe, because when you were describing the second one, you said, I never interacted with these people. But you.

Maria Vermazas

Why did you respond?

Joe Kerrigan

That's right.

Dave Buettner

Right. You let them know that that was an active phone number.

Maria Vermazas

It's like the whole joke about people getting solicitors at their front door. And people under a certain age never have this issue because none of us answer the door when the doorbell rings. It's like, if I wasn't expecting you, I am not answering the door. I don't care who you are. It's the same with the phone. Just don't. Just don't.

Joe Kerrigan

Reminds me of the Kathleen Madigan joke where her father was saying that he was a door to door salesman and she said, what do you do with the people that have the no soliciting sign. He goes, oh, those people buy anything.

Dave Buettner

Oh, my.

Joe Kerrigan

That's why they have the sign. Yeah. So, yeah, this was my mistake here. I thought I was going to have some fun with the first one, but now I'm getting hit with the second one. I got actually a third one, which may have been a. An actual wrong number. Because this person followed up with a call, and they were looking for their dad. And I sent him a text, said, wrong number. And they. And I've said, I got two texts in a phone call, wrong number. And they were like, yeah, sorry about that. It was wrong number. And then that was it. I haven't heard anything back from that one yet.

Dave Buettner

So I get calls. Do people just call you out of the blue and say, did you call this number? Do you ever get that?

Joe Kerrigan

I have never gotten that.

Dave Buettner

No, I have. I've gotten it a couple times.

Joe Kerrigan

Only when I have called a number do I get that.

Dave Buettner

Yeah, I've gotten that a couple times.

Maria Vermazas

Hmm.

Joe Kerrigan

That's weird.

Dave Buettner

Just out of the blue, right? Like, it's not someone I called, but I call back and I say, no, I've never called this number. And they're incredulous because somebody has spoofed my number. Right. To call them.

Joe Kerrigan

Okay.

Dave Buettner

And they're like, well, I got your. It says right here. This is the number they called me. I did not call you. I don't. I've never met you. I'm sorry.

Joe Kerrigan

That's what. Dave. You need to go all expert on them. Do you know who I am?

Dave Buettner

People love that.

Maria Vermazas

I'm Dave Pittner from the Cyberwire.

Dave Buettner

I'm going to ask you to go to your computer and do a Google search for hacking humans.

Joe Kerrigan

I want you to listen to the entirety of the catalog.

Dave Buettner

That's right. Now, don't click on the first link that comes up, because that's hacking humans and it's totally a scam site, so.

Joe Kerrigan

Yeah, because somebody bought a Google Ad.

Dave Buettner

Yeah. All right. Anything else, Joe?

Joe Kerrigan

No, that's it. Just. You should probably ignore those stupid messages and the people who have written us saying, don't engage with these people. You're all 100% correct. I couldn't help myself.

Dave Buettner

Do better than Joe.

Joe Kerrigan

Right?

Dave Buettner

The message for the day, do better than Joe. 317 episodes in Ladies and Gentlemen, and.

Maria Vermazas

I just. It's okay.

Dave Buettner

Yeah, that's right. He did it. He does it so you don't have to.

Maria Vermazas

That's right.

Dave Buettner

That's right.

Joe Kerrigan

What did you say? Dog fooding?

Dave Buettner

Yeah. Picking one for the Team.

Joe Kerrigan

That is the second time in as many days as I've heard that reference. Now I have to look that up and figure out what that means.

Maria Vermazas

It's a stupid tech term.

Dave Buettner

Did you have a stroke this week? No. You've never heard dog fooding? I understand dog fooding or monkey. You've been a developer, you don't know dog fooding or a monkey's paw? No. Joe, you're good.

Joe Kerrigan

I know monkey's paw. I get the monkey paw.

Dave Buettner

Before you leave. Are you taking your blood pressure?

Maria Vermazas

Actually, I invented these phrases. Me specifically, no one else. You've never heard them before?

Dave Buettner

I've said that.

Maria Vermazas

I'm that brilliant.

Dave Buettner

That's right.

Maria Vermazas

That's exactly it.

Dave Buettner

That's right.

Joe Kerrigan

Oh, eating your own dog food. I've heard to eat your own dog food thing.

Dave Buettner

Okay.

Joe Kerrigan

Yeah.

Dave Buettner

Yeah. All right.

Joe Kerrigan

Yummy. Yeah.

Dave Buettner

We're gonna take a break before our next story to hear a quick word from our show sponsors.

Joe Kerrigan

Stay with us.

Sponsor Voice

We were talking about making users into an asset for security professionals. Simply put, users want to do the right thing. They're often just lacking the knowledge to do so. That's one of the reasons KnowBefore has released security Coach, a real time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. For example, imagine a user has visited a high risk website or tried to open a document containing malware. Existing security tools will likely block that action, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more about security coach@knowbefore.com securitycoach that's knowbefore.com securitycoach.

Dave Buettner

All right, we are back. Which means, Maria, it is your turn. What do you got for us this week?

Maria Vermazas

I guess we're all just doing stuff that happened to us this week.

Joe Kerrigan

Sounds like a good one.

Dave Buettner

Yeah.

Maria Vermazas

Because I had something pop in my inbox after all the stories that we've been doing recently about people sending invoices through legitimate services that look real but are actually fraudulent. Usually these get caught by our spam filters. They're pretty easy to get flagged. But one actually landed in my inbox and it was a fraudulent PayPal invoice. But there was something about it that I thought was actually kind of impressive in a bad way. So that's why I'm highlighting it, because the ones that just say, here's an invoice for some money. Yeah, yeah, yeah, you know that those are fake. But the one that I received that said, here's your invoice again, sent via PayPal legitimately, but of course fraudulent, had spammed everywhere throughout it. In the subject line, in the message, in the actual fake transaction note, seeing a charge that doesn't seem right. Reach out at actual phone number for help, which I have not seen that before, where it says basically a fake customer support number in the subject line, in the subject line, in the message, even in the note from the seller. It's throughout the message. So this actually surprised me because they're expecting that someone's going to go, oh, this is obviously one of those fake invoices. They know that that's going to be the reaction. And they're expecting you to go, well, I'm not expecting this. Let me call this phone number. And by repeating it, hopefully a whole bunch of times, somebody might actually do it. So I actually did it, but my ISP was clearly looking out for me because the number was disconnected, which I was really disappointed about. So I clicked the link in the email, which was also a really stupid idea.

Joe Kerrigan

Maria, what have we learned from my story today? Nothing. That's the answer.

Maria Vermazas

I've learned nothing. I should be fired immediately. I clicked the link in the email.

Dave Buettner

Got bad news for you, Maria.

Maria Vermazas

I am now completely compromised. And it indeed, because I looked at the URL, I'm like, this is a legitimate PayPal URL. And it actually did go to PayPal. PayPal very nicely at the very top, said, this has been flagged as a fraudulent invoice. So good job, PayPal. The phone number. The phone number in the subject line and in the message and all that had actually been changed by that point. So, and I called it again because I was really curious what would happen if I called that number.

Joe Kerrigan

When you click on the link, you see an online version of the invoice.

Maria Vermazas

Of the invoice, and the phone number had changed by that point. Who knows how many times they had cycled through new phone numbers again, like whack a mole. But I called that number before, I suppose PayPal froze the invoice as fraudulent. And unfortunately, my ISP yet again looked out for me and didn't allow the call to go through. But I was, I was really impressed that they had. They, you know, they were trying to squeeze as much as they could out of this fake invoice. By cycling through a whole bunch of fake numbers before PayPal put the pain on them. But yeah, I was very impressed by that. And again, in a bad way. It was not good. Don't do this. This is bad.

Dave Buettner

But let me add just a little bit of color to this, which is. I was visiting with my father recently, and as I've shared with the show, my father is quite elderly and he had one of these and of course he printed it out to show me. That's what you did.

Maria Vermazas

Oh, I love that.

Joe Kerrigan

Did he try clicking on the link by pushing it?

Dave Buettner

Oh, have you, Dave, Let me ask.

Joe Kerrigan

You and be honest with me, Dave, have you ever pushed on a piece of paper thinking that it would get an interface to work?

Dave Buettner

No, but I have seen it said that to a toddler, a magazine is a broken iPad. Ah, right. Cause I've seen toddlers try to zoom in.

Joe Kerrigan

Right.

Dave Buettner

Like pictures in magazines. Yes. The pin, the pinch producing two fingers.

Maria Vermazas

Yes.

Dave Buettner

Yeah. So no, I have not seen my father. My father did not try to click a link on the printed out paper. However, I did have an aha moment with my father not long after he got his first iPhone. He couldn't understand why he was having trouble with it and I came over to help him with it and he was trying to click the screen with his fingernail.

Joe Kerrigan

Ah.

Maria Vermazas

Oh, yeah.

Dave Buettner

Not the fleshy part of his finger.

Joe Kerrigan

Right.

Dave Buettner

Couldn't understand why it wasn't working. And so what's amazing to me about working with my dad with a lot of this tech stuff is that he comes up with things that I never would have imagined.

Joe Kerrigan

Right. He should be a tester, Dave.

Maria Vermazas

My father did the same thing too. I remember he had a really hard time with it. I don't know if this is relevant for the show, but my dad. And when I showed my dad the correct way to tap the screen, it still wouldn't register his finger. It was something about his skin being so dry.

Joe Kerrigan

Yeah, that's starting to happen to me too.

Maria Vermazas

Yeah. By the way, I was just saying.

Dave Buettner

So some of it was the fingernail with age?

Joe Kerrigan

I believe so.

Maria Vermazas

Sorry.

Dave Buettner

The device believes that your flesh is no longer living desiccated.

Joe Kerrigan

I don't know what it is, but, like, I can't turn my alarm off in the morning sometimes.

Dave Buettner

Oh my.

Joe Kerrigan

Oh, no. And when somebody calls, I can't answer. And my wife says, just lick your finger and do it. I'm like, I'm not licking my finger.

Dave Buettner

You lick your finger and do it.

Maria Vermazas

You're officially old if you have to do that. I'm sorry, it's just the rules.

Joe Kerrigan

I will say this, though. If you lick your finger, it works.

Dave Buettner

Yeah. I'll take your word for it.

Maria Vermazas

Don't touch anything that Joe has touched is what we're hearing.

Joe Kerrigan

Yes. There's Joe spit all over everything.

Dave Buettner

Getting back to my dad, he hands me this printed out invoice, right? And he says, what is this? And I say, that's a scam, dad. There's nothing, nothing for you to do here. He says, it's a scam. I said, it's absolutely 100% a scam. He says, okay. He says, should I call the phone number on here?

Joe Kerrigan

Okay, we're laughing, we're laughing. But no, this is how this works, right?

Dave Buettner

That's my point. Right? Like, yes, this is exactly how it works, right?

Maria Vermazas

Yep.

Dave Buettner

Because for some reason he thought that even though it's a scam, if he called the number, he could set it right.

Joe Kerrigan

Right.

Dave Buettner

Like he could call him and say, stop sending me this or whatever. But yeah, I'd say, no, don't do. You don't have to do anything. Just ignore it, leave it alone, never look at it again, delete the email and anything like it. So again, you know, he has reactions to things that are beyond my own imagination, which is good for me to learn, you know, what's possible and, you know, and it's entertaining for our show. So there you go. Yeah.

Maria Vermazas

And the phone numbers that I dialed were all American phone numbers. I mean, they were, they were area codes of areas that I'm not from. But one of them was from Indiana, the other one was from Illinois. And I actually googled them also. And they are formerly owned by legitimate businesses. So, you know, it was just really interesting to kind of go down what the scammers were using. And I just, I was imagining the coordination between, you know, the phone companies and PayPal on this and just what a pain this must be. So, yeah, that was fun. That was fun. So that, that's my first of two stories. The second one was actually kind of a bit of a follow on to a story that I covered a little while ago about job scams that are proliferating through LinkedIn. And I saw another person in my LinkedIn sort of universe post about an experience that they had. And I'm going to keep this anonymous because this is a very painful thing that happened to this person. But a young job seeker who's been unemployed for about a year now basically fell victim to a job posting they found on LinkedIn. They completed an interview, they got a job offer and completed the tax documentation, identity paperwork and payroll documents. And unfortunately, after going through all that, found out that the job posting was fake and the scammer behind all this cleared out their entire bank account. They basically transferred everything within their bank account over either through Bitcoin or cashed out through a cashier's check. And I was just kind of. Aside from just feeling really terribly for this person, I also noticed that this person is very young and I was wondering if people are not having a conversation with younger folks now. I feel a little old saying this. Handing over your routing number and your account number is advice like not, don't do that. And I remember getting that advice when I was younger, when I got my first checkbook, which is how you know how old I am. But since checkbooks are not really in use much anymore, especially by people under a certain age, I'm wondering if that knowledge has been lost a little bit that your bank account number and routing number are the keys to the kingdom. You don't just hand that out. You have to be very, very careful with that. And I, because I know there's a lot of payroll documentation that send especially to freelancers where they're just asking for that information. You don't know who they are. It's very easy for them to do a lot of, you know, ach. Fraud with that info. And I don't know if people know that that's really information you've got to be extremely careful with. So I guess it's sort of a. Maybe a call to action for us, for those of us who have younger people in our lives to remind them that that's information you really don't want to give out easily. And then even. And if you think that this job posting might be true, but you're still kind of iffy on it or just out of abundance of caution. One bit of advice I saw in the comments on this person's post was about having a quasi empty bank account just for the purpose of waiting for these deposits to actually clear for if it's a real job. Not giving out. Yeah. Not giving out your actual bank account information that has your real amount of money in it. Just sort of having a fake one in case. Yeah. A decoy bank account. Yeah. Which I was like, I can't believe this is the world we live in now. But it is the world we live in now, right? Yeah.

Joe Kerrigan

So I started doing this when credit card fraud started becoming a problem and we had an ATM card and the ATM card Became like a Visa. Right. And I read somewhere that if you, if you got scammed or if you, if someone stole your, your credit card, you wouldn't be liable for any of the charges. But if someone stole your ATM card, you, you might be liable for up to $500 for the charges. Yep, you might, that might be the amount of money you don't get back. So my wife and I immediately opened another checking account at the same institution, and they're back to back. And one of them has the debit card attached to it and the other one does not. So we said, we don't want any debit cards or any checks for this. This is just for us to receive money. And the other one is the one that money goes out of. So if someone steals our, if someone gets a hold of our credit. If someone got a hold of my debit card right now and went out to spend more than $100 on it, it would get declined because there's not a hundred dollars in that account. That money is behind essentially a banking firewall. Now, this would require the addition of a third checking account for you to receive the money and then you'd have. So, you know, you have a receiving account, a spending account, and a holding account. I don't know if banks are willing to do that, though.

Maria Vermazas

Yeah, I was gonna say it's a lot of work. It's a lot of moving money around. It's also assuming you can get a bank account, which can be tough for some folks. Yeah.

Joe Kerrigan

But if you're not getting a bank account, there are other ways to get paid. And I don't know that those ways are scammable like this. I'm just not familiar enough with them.

Maria Vermazas

Yeah, when I was a freelancer, most of the time any requests about sharing account and routing information went through a third party, like a verifiable business, like a payment transaction service that was trustworthy. But sometimes you are just sent literally a PDF and put your information in this. And you just got to trust that that vendor is who they say they are. And it's pretty nerve wracking. But again, when you were a freelancer.

Joe Kerrigan

Did you have a, is this a service that you paid for or that you had out there as a freelancer that.

Maria Vermazas

No, I was at the mercy of whoever was hiring me. They all had their own different services that they preferred to use. So I would send an invoice and I would say, you know, contact me if you need this information because I'm not putting it on my invoice. But I saw other freelancers would freely put their account and routing number, you know, at the bottom of their invoices. And that was a little dangerous.

Joe Kerrigan

Oh, no.

Maria Vermazas

Yeah, yeah. People do that because they figure it's an easier way to get paid. But sometimes.

Joe Kerrigan

Immediately, I just want to find one of those guys, have him do some work for me, and then drain his bank account. I mean, that's the threat model right there. Right.

Maria Vermazas

Unfortunately, it happens a lot. And so you as a freelancer, you can go through, try to set up your own third party intermediary, like using an invoicing service sometimes. But those cost money and not everybody has the money to pay for that upfront. And if you are working with a more established company, they may have one that they want you to use. But if you're a small freelancer doing work for a small business, chances are they just want to get that information directly from you. And there's a lot of trust that goes on there. And sometimes it's abused. And again, I don't know, especially younger folks who are entering the workforce, if they know how there is no additional firewall set up between your account number and router, that's it. If they have those two numbers, that's all they need. And I don't know if people know that.

Joe Kerrigan

So they also need like an ACH authorization or something like that. Right. I mean, or do they?

Maria Vermazas

My understanding is they just need your account number and routing information because that's usually all I've ever given out when I've had to do this.

Dave Buettner

So I think there's also the element, especially when you're applying for a new job, that you don't want to be the one who's a pain in the butt.

Maria Vermazas

That's right.

Dave Buettner

Potentially new employer. Right. So they send you an avalanche of paperwork to fill out and you don't want that person.

Maria Vermazas

Yeah, right. Especially if you've been out of work for a really long time. At that point you're just like, whoever, whatever, yes, please pay me.

Dave Buettner

So what can I do to start this money flowing?

Maria Vermazas

Correct. Last thing you want to do is put up a barrier. So I'm sure these scammers know all of this, and that's what they're exactly what they're banking on. And it just kills me to see that more and more in my LinkedIn feed, at least because I'm on there all the time for work reasons. I'm seeing all these posts from people saying, I've been unemployed forever. I'm seeing more of these scams or I got hit by these scams. And it's just. I mean, it's anecdotal in my case, but my goodness, it just really seems to be getting worse out there. So just be careful, everybody, I guess.

Dave Buettner

All right, well, we will have links to all of our stories in the show Notes. And of course, we would love to hear from you. Our email address is hackinghumans2k.com Joe Maria, it is time to move on to our catch of the day.

Joe Kerrigan

Dave Our catch of the day comes from William and it's Dr. It's a note from Dr. John Schindler, who is the Secretary General of something.

Dave Buettner

Well, what a coincidence. So am I right? I'm the Secretary General of the Hacking Humans podcast. I just gave myself a promotion.

Maria Vermazas

Please put that in your email signature. That would be amazing.

Dave Buettner

Secretary General.

Joe Kerrigan

Secretary General.

Dave Buettner

Dave Bittner Hacking Humans Podcast that's right. All right. It says, from Dr. John Schindler, Secretary General, but the email address is din makuhukuamika mail.com Subject Fund Refund Reply to United Bankfor Africa cmail.com and it goes like this. Attention, my dear. After the global Financial Pact Summit of Paris, the International Monetary Fund has come to the conclusion to pay off your compensation funds. You are in the Badge B category that are going to benefit from the world's largest humanitarian aid budgets. With due regards to the instruction from the IMF and the Financial Stability Board, I want to inform you that the Financial Stability Board have arranged your payment through United bank for Africa to immediately affect the transfer of your $1.75 million via UBA bank online transfers. The transfer of your fund will be processed and completed within three working days, within which the fund will safely reflect into any designated bank account of your choice. To this effect, you're required to contact Sir Joseph Worley, Mandy Online Banking Services, UBA Bank. Send the below info to Sir Joseph W. Mandy. Your full name, your full address, your contact telephone, your profession, your ID and driver's license, your bank name, your bank address, your account name, your account number, your SWIFT code and your routing number. If you have any questions or concerns regarding this payment, please do not hesitate to contact us. We are happy to assist you in any way we can. Thanks and best regards, Dr. John Schindler, Secretary General. Copyright the Financial Stability Board. Copyright.

Maria Vermazas

That's the part that gets you well.

Dave Buettner

You know, I was going to copy this, but I don't want to get in any trouble.

Joe Kerrigan

We just read it on a podcast, Dave.

Dave Buettner

That's right.

Joe Kerrigan

What are we going to Do?

Dave Buettner

Yeah. You're going to come after us, right? All right. What do we make of this gang?

Joe Kerrigan

It's an advanced fee scam. That's what it is. You send this information. Actually, this is like multiple scams. If you send all this information along, they will do whatever they can to steal your identity, drain your bank account. Swift code. Nobody who knows their SWIFT code. The bank SWIFT code.

Maria Vermazas

That's who knows what a SWIFT code is.

Joe Kerrigan

Well, SWIFT is the.

Dave Buettner

Oh, you had to ask Maria?

Maria Vermazas

I don't know what that is. I don't.

Joe Kerrigan

Swift is like something about secure, something, something. Fund transfer.

Maria Vermazas

You don't even know what it is, Joe, come on.

Joe Kerrigan

I don't know what it is, but it's the system that banks use behind the scenes to transfer large amounts of money between each other.

Dave Buettner

Internationally.

Joe Kerrigan

Internationally.

Dave Buettner

International system for transferring money.

Joe Kerrigan

And it. It's one of the things that the North Koreans have hacked. Allegedly. North Koreans have hacked. The Lazarus Group has hacked it. So, I mean. But generally, like, I don't know that you're. That you walk into your bank and go, what's the SWIFT code here? I don't know.

Dave Buettner

They'll tell you. Right, right.

Maria Vermazas

Please come with me, sir.

Dave Buettner

Right, right. We need a listen. What's the SWIFT code? And listen, while I'm here, I need to set up a decoy. No flags, no notes, no flags, no. All right, well, thank you, William, for sending this in. We do appreciate it, and again, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com we want to thank all.

Sponsor Voice

Of you for listening. And of course, we want to thank our sponsors at KnowBefore. They are experts in helping users do the right thing through new school security awareness training.

Dave Buettner

That is hacking humans, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn how@n2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Iban. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karp. Peter Kilpie is our publisher. I'm Dave Buettner.

Joe Kerrigan

I'm Joe Kerrigan.

Maria Vermazas

And I'm Maria Varmazas.

Dave Buettner

Thanks for listening.