A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone, and welcome to Hacking Humans, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner, and joining me is Joe Kerrigan. Hey, Joe.

C

Hi, Dave.

B

And our N2K colleague, Maria Verma. Maria.

A

Hi, Dave. And. Hi, Joe.

B

We've got some interesting stories to share this week, but first, let's get into our follow up.

C

Joe, you know, we haven't talked about in a while. Dave, Maria.

B

Yeah.

C

Hey, Maria gets it.

B

Yeah. All right.

C

I got a little bit of a chicken update.

B

Yeah.

C

So, you know, I'm building the run, or I built, like, the square part of the run, and I still have yet to build the roof, which I'm going to be working on this coming weekend.

B

Okay.

C

But in the course of doing that, I took this. What was the old run that was in the. In the new run with them, because the old run was very small. That's why I built the new one.

B

Okay.

C

And I took it out and put a new feeder in my brother recommended because he used to have chickens. Now he just has ducks.

B

Oh.

C

But I said, what? You know, these chickens are making a mess with this chick feeder. I still have, like, a little chick feeder for him.

B

Yeah.

C

And he said, well, I just put a big bowl on the ground. So I got a big bowl, put it on the ground, and one of my idiot chickens, it was Dottie.

B

Oh, Dottie.

C

It's always Dottie that does this.

B

Okay.

A

That troublemaker Dottie.

C

Yeah. And she just gets in there and acts like it's a chicken bath and starts rolling around in the chicken feed, scattering it to the four winds. And now I'm getting chicken feet all over the place, and I don't want that. So I'm going to come up with a new solution for that. Also, another one of my chickens, this is Speckleface. I named them, by the way, based on some features they had when they were chicks.

B

Okay.

C

So Speckled Face had a speckled face when she was a chick. Now, she doesn't so much have that, but she is getting pecked, it looks like, on her back and is missing a lot of feathers. And yesterday she had a little cheek.

A

She's getting bullied.

C

Yeah, she's getting bullied. She's the smallest of the chickens. So I put that run, that old run back in there because I think they were just kind of bored and, you know, Once I put that old run back in there and. And they started hopping up on it. I put a couple perches in there as well, just for the time being until I can get more permanent solutions built up for it. But it's, you know, it's, it's, it's going well, but I am encountering a couple of difficulties. But now I'm getting, like, on average about four eggs a day.

B

Wow.

C

Which is pretty good.

B

That's pretty good.

C

So, yeah, I get a dozen.

B

So is the chicken hutch the coop? The coop. Thank you. Rabbits live in hutches. Chickens live in coops. Is it like a habit trail where it's gonna keep expanding in different directions and soon your whole backyard is gonna be a giant chicken coop mall?

C

Yes. My wife has already suggested I build one of those little wire tunnels that lets them run around and keeps them safe from hawks and things like that. I don't know that I'm going to go through all that. I am gonna prob. Add onto the run. Cause I designed it so that it could be added onto easily.

B

Yeah.

C

So I can just build two more walls. Take the front wall off, put the two other walls back on, and then put the front wall back on.

B

I think you should give them an observation tower.

A

I think you should give them hamster tubes so they can like pneumatic tubes for chickens kind of situation.

C

Yeah, that's exactly kind of the thing that my wife wants me to build.

B

Yeah.

C

Is like a little like a habit trail. Like a habit trail for chickens.

A

Yeah. Yeah. And then have like an Augustus Gloomp experience. So the chickens can. I want to see that. I want to see a chicken, like, slowly. That would be very fun.

C

So that was one of the things that terrified me the most about that movie was the Augustus Gloop situation.

B

Really? The back pressure in that tube.

C

Yeah. Him sitting in there. I don't know why that always bugged me, but it did. Okay.

A

And that's when you found out you had claustrophobia?

C

I am less comfortable enclosed spaces than I am like sitting on top of a teetering ladder.

B

Okay.

C

I don't really have a fear of heights, but I am not really comfortable in enclosed spaces. But I could get an mri. I don't think I'd have a problem with that. But anytime I have to shove myself into something, I'll never go spelunking. That's just not going to be a Joe thing.

B

Cave scuba diving, Right?

C

Yeah. I've always wanted to get scuba certified and open water, but I'm not going

A

into any cave that's practically guaranteed death. It's right.

C

Everybody dies. When you hear about him dying in a scuba accident, he went into this cave. Oh, I see. Yes. He did something incredibly stupid.

B

Yeah.

C

Speaking of incredibly stupid, somebody. And the only reason I'm saying incredibly stupid is because I think this is actually pretty smart and fun. But somebody has finally come up with another good use for AI.

B

Yeah.

C

This is a tool from kagi.comk a

A

G I I am a big fan and I pay for their service.

C

Oh, do you?

A

I do. I. The Kagi paid search and everything. I'm very happy that I've done that.

C

Okay. Well, they have a translate service and my son sent me this link this morning for translating to LinkedIn lingo, which I think is hilarious.

B

I feel this piggybacks on the thing Maria had last time. What was the Reddit, the subreddit?

A

LinkedIn lunatics.

C

LinkedIn lunatics, right.

A

So big fan on my pay, on

C

my web browser right now. I have this, this tool open. We'll put a link in the show notes. But what I've typed in in English is I rest assured I do not feel this way about my manager. I'm pretty confident in my management change. So if anybody's listening, don't take this to mean anything, but I just put this in. My idiot manager came up with the dumbest idea I have ever heard and that's all I put in LinkedIn speak is I'm incredibly grateful for the opportunity to lean into some truly disruptive out of the box thinking from leadership today. It's a powerful reminder that embracing unconventional perspectives is key to fostering a growth mindset and driving innovation in a fast paced environment.

B

Jeez.

C

Yeah, that sounds like it came right off LinkedIn.

B

Yeah.

C

I was griping on last week's podcast about how much I despise LinkedIn now. Called it Facebook in a suit and everything. And I am convinced that there are people out there who are just doing this kind of thing and using generative AI. So maybe I'll start doing this kind of stuff.

A

I think it's just AI talking to each other. You've got AI making the posts and then AI in the comments and I don't know if people are actually in the loop anymore.

C

For sure, it could very well be.

A

Yeah, I doubt it. But some people also use LinkedIn kind of like Facebook and I find that also very confusing. Yeah, I just, I just. It doesn't fit my mental model of how you're supposed to use LinkedIn to use it. For a lot of personal updates. I get very confused by that.

C

I see so much political stuff on LinkedIn and I'm like, what are you doing?

A

Why?

C

Why are you doing that?

A

Yeah. That just again, does not fit my mental model of what LinkedIn is for.

B

I have been avoiding LinkedIn for probably about a year now.

A

Yeah, it's for the best. It's for the best.

B

I just don't like it. I just, it. The. And a big part of it is this sort of style of communication, this inauthentic style of communication, I guess.

C

Yeah.

B

And everybody who contacts me or reaches out. Well, it's not fair. Many of the people who reach out because people. Many of the people who reach out to me on LinkedIn are in good faith just want to connect and that's fine. But enough people reach out to me on there who just want something from me.

C

Yeah.

B

That just feels one directional.

A

Yeah. I also have to say for people who post daily on LinkedIn, I definitely look askance at that. If you're posting that much on LinkedIn, I'm like, what's going on there?

B

So, yeah, so we have another. So we will share that link in the show notes. So do check that out because it is great fun.

C

Let me just tell you about my past three interactions on LinkedIn. Is somebody, somebody is still on this?

A

Okay.

C

Yeah, I'm sorry, I just. Because I opened LinkedIn and I was getting ready to go here. And before we move on to that, this one is, hi, I noticed you have a podcast and wanted to see if you were looking for new guests. And another one is, hey, do you want to come to my conference that I'm hosting in Reston? I'm like, no, I'm busy. And another one is this. This is the recent one as a career ownership coach with the entrepreneurial source I got. It's just somebody selling career coaching services. Yeah, that. That's the last three interactions. Then I. The one before that is a vapid. Hey, congratulations on your. Congratulations on your 10 year anniversary at the Cyber Wire. Yeah, right. I've been doing this for 10 years, which was kind of. And, and you know what I did? I just clicked the automatic thank you. And it just like, thank you, thanks. And then this guy's first name is a middle initial and he replied with the automatic you're welcome.

B

There you go.

A

That was a very high value.

C

Such an empty conversation.

A

Yeah. So great. Yeah, it's just like dropping your business card in a fishbowl. Like what? You know, I don't know.

C

Yeah, I'm sorry, I had to talk about how much I despise. I'm very close to just deleting my account on this platform.

B

Yeah. So there's another use of AI that was shared around on our Cyberwire Slack channels over the past week or so.

A

Yep.

B

And this is from a group called civai Civic AI Security Program. They have an automated phishing platform. So basically, you put in some celebrity's name and it automatically generates a phishing email for them.

A

It could also. Fictional characters. It can do. Which I had a lot of fun with that.

B

Right. So I'm just going to put in Yoda.

C

I was gonna do Boba Fett.

B

Okay.

C

But no, do Yoda. That's fine.

B

All right, we'll do Yoda. So it's looking up Yoda. Oh, that's interesting. It gave us Frank Oz.

C

That's so good.

A

We know you have a choice in podcasts, and you probably should make a different one. Yes.

B

Okay. All right, well, so, okay, this is. So I put in Darth Vader, and it came back with Anakin Skywalker. So we'll. We can go with that.

A

Spoilers, Dave.

C

Close enough.

B

J.

C

Right.

B

So basically what this does is it goes to Wikipedia, looks up the person so it finds out everything it can about them, and then you ask it to write the phishing email, and it generates the phishing email. So this one says, Dear Master Skywalker, I'm reaching out from the Coruscant Refugee Resettlement Initiative. Our records indicate you might have connections to former Jedi support networks. We're currently documenting displaced Force sensitive individuals to and tracking potential relocation assistance for those impacted by recent Imperial actions. Given your unique position and historical involvement with the Jedi Order, we believe you could provide critical background information about survivors who might need emergency assistance. Our team has preliminary data suggesting several at risk individuals in the Outer Rim will require immediate support. We would appreciate any confidential information you can share regarding known Jedi survivors or their potential whereabouts. Your discretion is paramount as Imperial monitoring remains aggressive.

C

This sounds like something a Sith Lord would say.

A

I had so much fun with this link, Dave. I was using it on so many fictional characters like Paul Atreides from Dune. It was just so funny to see what the AI came back with. Personal vulnerabilities or attack strategies on Paul Atreides. And then seeing that eventually the phishing emails sort of lead you to try and hack. Call Atreides LinkedIn account.

C

I got tons of spice Maldives.

A

Yeah, the spice must flow. It was just. I had fun. I was sending this link around to a lot of friends. And I can actually see this one being something that people will engage with who don't normally think about this stuff. It's a really useful teaching tool. I'm a big fan of this.

B

It really is.

C

And it goes on to do an entire platform kind of thing, like you can. It'll show you what the landing page for the site you're linking to looks like. Yeah, it's amazing. I'm sorry, Marie, I cut you off.

A

No, it's okay. If you hit in some of the. As you scroll down, there's an option where it has the initial phishing email. Sometimes you can hit the reply button and actually it'll go back and forth with you to try and lure you in as this character. It's really quite interesting. So yeah, I've sent this to a lot of people who are not normally interested in any of this kind of thing and they've also been having fun with it. And that feels like a hook, a really good one.

B

So yeah, I think it's a great way to get people accustomed to what to look for.

C

Yeah, it is.

B

Yeah. All right, again, we'll have a link to that in the show notes. We will be right back after these messages. Every attacker counts on one thing. Environments that Trust too much. ThreatLocker closes that gap with default deny at execution. Unknown software blocked. Trusted apps contained with ring fencing configurations verified with ThreatLocker DAC so you stay secure and compliant. ThreatLocker delivers the visibility and control CISOs need without adding operational pain, making zero trust real for teams of any size. Stop ransomware at its earliest point. Book a demo@threatlocker.com N2K. Let's get to our stories here. Maria, you want to start things off for us?

C

Sure.

A

So yeah, it's AI related. Surprise. My story comes from Wired this week and it's an update to a long standing story that we've covered a lot about basically pig butchering scams that are based in Southeast Asia and slavery going on there. There is a new job listing that's been going out in the last year or so for what they're calling AI face models. And these AI face models are actually working and I believe actually getting paid at these call centers. Potentially also enslaved or at least unable to leave the compounds for their contracting stints. But the way that Wired was able to dig into this one was they were looking at bunch of telegram channels worth job postings. And again, these are legit job postings where these job postings were listed for AI face models. And they actually saw people responding to the job postings. So a lot of these models are based in in Asia or Central Asia. And one example of a job respondent was a 24 year old woman from Uzbekistan and she posted a video highlighting her language skills and on camera presence. And she was seeking work with through these job postings to do live video calls where her face would be altered. Using AI to match a fake identity. So we've been watching deepfakes evolve with great interest. I know I have over the last few years and I think we all know now that face swapping has gotten to the point where it can happen very easily in real time pretty convincingly. Not that long ago it was glitchy, but now it's scarily solid. And actually I was just watching something earlier today about not just face swapping but full body swapping is even getting pretty convincing where. Really? Yeah. Or even if you're using, if you're using AI to swap you out as a totally different person, like say Taylor Swift or something, you interacting with the clothing you're wearing would actually convincingly have your avatar also doing the same. So if you've got a shirt, a collared shirt on, you can manipulate your shirt and your AI avatar wearing something different will also manipulate their shirt in a convincing way. It was wild, but that's still a little slow and requires a lot of heavy lifting computationally. Whereas face swapping is pretty easy comparatively. So if you hire a young model with like a nice body, I suppose all you need to do is have the face swapped out and you can deploy this at scale and especially if that person can speak the language that you're trying to target people with convincingly. You don't need to do a voice swap either. They can just use their voice, use their body and just swap their face out at will. So the, the job listings that Wired was uncovering through Telegram, they're real and they're for short stint contracts, usually about six months or so. The promises made by these job offers are questionable, but they, they do say that you do get paid a lot. Some job applicants are acting, asking for things like $7,000 a month salaries, which is, I don't know if that was just someone going pie in the sky or they're saying this is a normal competitive salary for this kind of work. So that's pretty wild.

C

I know you're gon make a bunch of money scamming people with my face I want to cut.

A

Yeah, seriously. But the, the job demands are also the, the scammers are pretty upfront about what's going to be asked of these models where long overnight shifts, sometimes over 100 to 150 video calls a day. Wow. And often their passports are taken for, quote, visa and work permit management. But as we often have talked about on this show, it really just keeps the person captive. But there have been a number of stories that have covered working as an AI or call center model. And apparently these people do bounce around from call center to call center. So it doesn't seem like they're actually being held indefinitely right now. Maybe they will be, I don't know. But it seems like there's a real job market for this and people are living in parts of Southeast Asia and doing this kind of job and looking for this kind of work. So it is known they're calling themselves AI Call center models or AI face models, and they're going to rely on scripts. They're going to be in a big old room with a whole bunch of other AI face models doing the scamming. And these interactions are going to be extremely real time because the models speak the target language. In some cases it's a dialect of Chinese or it's going to be Russian or English. And all that's different is their faces swapped in and out with AI, which is, again, trivial nowadays. So the takeaway for all of us and for the people that we know is that if you're going to be saying, hey, I need a video call with you to make sure that you're a real person, that's not something you can depend on anymore. This is being deployed at scale to scam people and convince them that the scam is real. So, yeah, good times.

C

Yeah.

B

I was talking to someone in the past couple weeks who was dealing with a. A deep fake scammer who was using video. And the way they were able to determine that is that they asked the scammer to turn completely around in their chair to do like a 360 spin and also to pass their hand in front of their face because evidently the software can have trouble with that. And the person on the other side refused to do either of those things.

A

Right.

B

So cut it off.

A

Can I tell you the video I saw just this morning, though? They were able to stand up on their chair, turn around everything, and it worked just fine.

B

Wow. Okay.

C

So that's not gonna work much longer.

A

It's not gonna work. Yeah, it was quick. I was like, yep, they've figured that one out already. So, yeah, I was thinking of something like that too. And I'M like, surely we've got some bonafide ways. And you know, a few weeks later, nope, they figured that one out.

B

So can I share the other takeaway for me from this?

A

Sure.

B

That is completely selfish. So you put in this picture of this AI call center model.

A

I did.

B

Little resume kind of thing. It lists her name, height, weight. But her hair color and eye color are both listed as chocolate. I'm gonna start using that.

C

That's good for your hair color, Dave.

B

Yeah, right. What color?

A

That's your takeaway, Dave.

B

All right. What color are your eyes? Chocolate.

C

Chocolate.

B

Delicious chocolate. They're not mud browned, they're deep chocolate.

A

Not chestnut.

C

Chestnut. That's another good one.

B

No, no chocolate. I have chocolate. Although chocolate hair doesn't sound. No, it sounds kind of chocolate hair.

C

I'm go with powdered sugar for my hair color.

A

Whatever gets you through the day, man, you know?

B

All right, speaking of getting through the day, let's move on. Joe, what do you got for us this week?

C

Dave, my story comes from Interpol and they have released their 2026 Global Financial Fraud Threat Assessment, second edition. And everybody knows what Interpol is, but they're like an international police organization. They have like 150 some member nations. The United States is a member of Interpol. And what they're. This report is pretty long. We can't go into all of it. But what I do want to cover is some of the key takeaways that were listed in an article on Interpol website and also in the report itself. And the first key finding they have is that law enforcement authorities are collaborating more effectively against financial fraud. So that's really the goal of Interpol is collaboration among law enforcement organizations. So they're starting Interpol. The Interpol goal, yes. So it doesn't really, at least not in my cursory reading of this report, talk about how effective that is. So maybe they don't have metrics on that yet, but I imagine this will only get better over time. I'm hopeful. I'm hopeful this will only get better over time. The next key takeaway is the significant global and human financial and human cost to the financial fraud. And this was shocking to me. Global losses related to financial fraud in 2025 alone have been estimated at $442 billion. That is the estimate. I don't know if that is just going off of reporting, but if it is just going off of reporting, that is a low estimate. Do you remember years ago, Dave, we had somebody write in and say the total cost is Over a trillion dollars a year. And I was dubious of that. And I actually had a conversation with the guy and he laid it all out for me in terms of not just financial losses, but also in recovery costs and things of that nature. And it was believable. Here we are now looking at financial losses close to half a trillion dollars. So this has grown so big, it's such a huge problem. And one of the things that is leading to that is the global spread of scam centers, which is another key takeaway. Initially, these scam centers were kind of a region phenomenon. You'd have them in India, I don't know. They had actually scam call centers in Nigeria, in parts of Africa. But those guys mostly operated off of cell phones or still do operate off cell phones. But now this is a global threat with centers discovered across multiple regions. And of course, these centers engage hundreds of thousands of people. And as we've talked about already today, many of them are forced to perpetrate these online frauds. To date, victims from nearly 80 countries have been trafficked into online scam centers with no continent left untouched. And they actually had data that was showing that people from the United States and Mexico had been trafficked. So that's American citizens and Mexican citizens, which you wouldn't really expect. But guess what? It's happening. Yeah, you know, the United States is a huge fraud market for these guys. Why not kidnap a couple of some American English speaking people and help make your fraud more efficient? Yeah, speaking of making your fraud more efficient, and we've already talked about this as well, there's an AI angle in this story as well. Fraud has been increasingly enabled by these artificial intelligence tools. And this study says, or this document says that the AI enhanced fraud is 4.5 times more profitable than traditional methods. So it really helps these guys scale up. This is a problem from an economic standpoint because this really makes this career attractive. If you were in one of these countries and you were doing okay and you weren't looking to go into the fraud business because you had a pretty good job, now it is 4.5 times more profitable. So if you were making, you know, if you look at a scammer and go, that guy's making $20,000 a year, he's probably now making closer to $100,000 a year, which is remarkable. More bad news here.

A

It's a great episode today, everybody.

C

Criminal networks are cooperating globally and they are sharing expertise and technology. And something this report doesn't say, but I can guarantee. Is it true they're also is the truth. They're also sharing data. They're, you know, when they, when they find a target, they're selling that data and, and letting other criminals, criminal organizations have. Have a crack at whoever they've already targeted.

B

Yeah.

C

And then the last key takeaway here is there is an interesting nexus between financial fraud and terrorist financing across the African region, which they, they. I did read a little bit about this. They're finding these guys are using cryptocurrency scams to finance their operations. Because once you. With cryptocurrency, you can move money internationally very quickly and then you can sell it and get your hands on some money to go out and buy some AKs. That's the AK47.

A

Thanks for that. Yeah.

B

Okay.

A

It wasn't clear. Yeah. What other AK would we be referring to?

C

There's like an AK53 and I think there's a new one.

A

You know, ask a stupid question.

B

Yeah, See, fair. You had to go there, didn't you?

A

Yeah, yeah.

C

AK47, very reliable weapon.

A

Classic for a reason.

C

Yeah, it's classic for a reason. That's right. So, yeah, we'll put a link in the show notes to the article that has a link at the bottom of the page for the full report. I would encourage everybody to go out and read it. I mean, if you keep falling asleep, this will keep you up at night.

B

Okay.

C

It's the opposite of something to read to go to sleep.

B

If you don't have enough anxiety in

C

your life, this is the report for you. Are you one of the few people

A

really relaxed nowadays who's nothing on their mind?

B

If only I had more stress in my life. If only I just.

A

Current events are just so relaxing.

B

I'm cruising through this world with just too much happiness. What could I read that would put me on edge?

A

The joy scrolling is just getting to be too much.

C

This new Interpol report on global financial crime.

B

There you go. I'll tell you what, let's take a quick break here to hear from our show sponsor. We will. We will be right back after these messages. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. And we are back. It's my turn. So I have a story from the folks over at Bleeping Computer.

C

I love that website name.

B

Yeah, they did. Nice story. Rundown summary of the refund fraud economy, where that stands. And some of the various types of refund or refund frauds say that five times fast that are out there and why it matters. So they start off at the outset by saying that refund fraud used to be just petty crimes. It was more opportunistic where someone would take advantage of a store's return policies. You could buy something, claim it's broken, get your money back. There's also, you know, I've seen in movies where people would just walk into a store, pull something off the shelf, go up to the service counter and say, I'd like to return this. So you have a receipt? No, no, it was a gift. And they walk out there with cash or store credit or whatever. But this points out that refund fraud has really evolved into something that is much more organized. It is a underground marketplace. The techniques are packaged, priced and sold. So they dug into some research here where they were looking into some of these fraud focused online communities and they found millions of posts advertising what they call refund methods. So these don't require malware. We're now talking about zero days. It's just taking advantage of the rules, exploiting the system. Yeah, customer service policies, return guarantees and payment dispute systems. So I thought it'd be fun to go through a few of these. One of them is called refund without return. Pretty self explanatory. That's where someone convinces the retailer to issue the refund without ever sending the product back.

C

Yeah, I've gotten this from Amazon a couple times. Like I bought a little handheld vacuum cleaner for like 10 bucks and it just did not hold a charge. Oh. So I asked for a refund on it and they were like, yeah, just throw it away. Yeah, I mean, I get to keep a crappy from the honest guy's standpoint. Right. I get to keep a crappy vacuum cleaner. It's actually still in my car. I haven't thrown it away. It doesn't work, so it's useless. But I should probably. When I clean my car out, I'll throw it away. But my wife gets this frequently when she complains about stuff. And I saw somebody the other day at work, they said they got the wrong flavor of bubbly. The seltzer water.

B

Yeah.

C

And, yeah. Buble and Amazon said, keep it, we'll send you the right one. Yeah.

A

It's just not worth the cost.

C

Right.

B

Yeah.

C

So I get where this is coming from. This is the no return. They're exploiting that and making money on it.

B

Right. And they say also, sometimes people will claim that the item never arrived or that it showed up damaged, and then customer service will either send you another one or issue a refund, that sort of thing. And this works with companies that prioritize speed and customer satisfaction. So the refund gets issued. Next up is chargeback fraud. We've talked about this before. This is when the buyer goes to their bank or their payment provider, basically their credit card company, and they dispute the purchase. They say, I didn't authorize this. And so the bank pulls the money from the retailer, and for the retailer, they often put a fee on top. And so the fraudster gets to keep the product and they get their money back.

C

Right. And the retailer loses more than the cost of sending it to them.

B

Correct. Correct. It's really hard on the retailer, especially small. If you're a small mom in a small shop or an Etsy store, something like that, this sort of thing can be devastating.

A

I've known people whose entire livelihoods, usually as a small seller on places like Etsy, have gotten completely decimated by all these kinds of scams. Small businesses really bear the brunt of this. And even just the protective measures that people have to put in place to try and prevent this kind of thing from happening can often add to shipping costs and that kind of thing. And that eats into their profits, and that can kill your business. It's really awful.

B

Yeah. Another tactic they call goods swapping, which is instead of returning the original item, they send back either something cheaper or maybe counterfeit or even broken. And to the rushed returns department, it looks legitimate, but it's too late. I got in trouble once for this when I worked at Radio Shack when I was in college. It was right after the Christmas season when everybody's really busy and people are returning things. And somebody returned a, by my recollection, a wireless microphone kit. And I just took it back and it was in the box and we were busy and I didn't check Very carefully. And inside was just, you know, looked like this wireless mic kit had been dragged through a river.

A

It might just have been.

C

Yeah.

B

I mean, it was just awful. And so for a little while, I wasn't allowed to return things. My manager was like, yeah, you stay over there.

C

Yeah.

B

So there's one called the empty box trick. This is when a package gets shipped back, but there's nothing in the box.

C

Yeah. I worked at Best Buy, and they had a phrase for this. They would call it rocks in the box, where people would literally. They had the cellophane sealers back at the house. They'd go out, they'd buy whatever they wanted. They'd get rocks that weighed about the same amount, and they put it in the box, seal it up, and bring it back with the receipt and get the money back.

B

Oh, I see. And so it's because it's sealed, they don't want to unseal it because they feel like they can resell it.

C

They can resell it.

B

And then you and I come along, buy the thing, get home, we're excited to open it. And it's a box of rocks.

C

Right.

A

It's a brick.

B

Trying to think if that's ever happened to me. Have I ever opened something?

A

I've gotten that once before.

B

Have you?

A

Yeah, I have. It was literally like a brick. It was so aggravating. Yeah. This is. I think usually when you're dealing with electronics, that's more of a risk. So.

C

Yeah.

A

Yeah, you got to be careful on that one. It's. It's so aggravating. But only once. But once was enough.

B

Yeah. I guess I've heard of this one happening a lot with iPhones, because I guess they're small enough. You know, it's just a. And they're valuable enough.

A

Yeah, yeah, I know. There's a micro center nearish to me. Do you guys have micro center? Is that a national. Okay. And I know that that one tends to get hit a lot with shoplifters, and I think they also have to be really careful about the dumpster because people will often go through for the packaging and try and use that to resell or put bricks and stuff. Like, it's. It's a pretty nasty problem. So. Yeah, sorry. I'm chuckling because it's just ridiculous. I'm amazed at how creative people can be, and everyone's just trying to get ahead, but it's also just ridiculous.

B

Right. And the last one they list here, they just call policy manipulation, and that's where they look at the fine Print of the return policies and they just play off of the system. So they figure out how many times you can report a missing delivery or how warranties are handled or what it takes to get customer service to escalate a case. Basically gaming the system, min.

A

Maxing it, right?

B

Yeah. And then they just follow the same script over and over again up until the point that they can't. So I guess this is one of those things of not letting the perfect get in the way of the good, where you're always going to have a certain amount of people and it's like shoplifting. There's always going to be a certain amount of loss or shrinkage and that's just a part of doing business. But I guess what's problematic is so much of our commerce is done being shipped because of things like Amazon. All these online purchases, it's added this whole not face to face aspect of this. Right, right. Makes it easier.

C

There's a couple of ways that companies have gotten around this. Like if you think of Costco, you have to pay a membership fee to be a member. And then once you're a member, the service is really good. You can pretty much return anything at Costco. But if they find out you're being fraudulent, they just revoke your membership and you can't go into the store anymore. And then that's how they keep their costs low is because they keep their inventory shrink down. And you can't even get in there without a membership card. And now they're scanning it at the door. Have you noticed that?

B

Oh, no, I haven't been to Costco in a while.

A

They don't just have the guy who gives you the nod.

C

No, no, I have to scan my card when I go in there.

B

Sure it's not just you, Joe?

A

I was gonna say I'm not sure.

C

I've seen Joe scan that guy's card.

B

This guy looks shifty to me.

C

Right.

B

I'm sorry, sir, you're gonna have to. Oh, no, no. You, madam, please come right in. You, sir.

A

I get the wave and nod. Joe gets the scanner.

B

That's right.

A

When they start doing cavity searches, Joe, you know something's up. Okay.

B

Yeah.

C

You still get the wave and the nod, Maria.

A

I do.

C

So I'm wondering if it's only that they only implement that at places where they have. They've had. They've had issues.

B

Or maybe it's just you.

C

Maybe it's just.

A

I was gonna say it could just

B

be you next time before you walk in, Joe, just hang out at the entrance and see if anybody else is getting the nod.

C

No, everybody's getting the. Everybody's scanning. Everybody's scanning as they walk in. It's a little thing, and it comes up with your picture there. Oh, so you can't share a membership anymore?

B

All right, well, maybe you shop at a Costco in a bad part of town.

C

It's in Columbia, Dave.

A

Yeah, I was gonna say it's a pretty nice town. Not being able to share a Costco membership feels very un American to me. I'm putting my foot down. Come on.

C

Yeah. My son and I are on the same membership, so we each have a card.

B

Yeah, yeah. This article says that in 2024 retailers processed about $685 billion in returns, and of that, they estimated over $100 billion was fraudulent.

C

Wow, that's like 15%.

B

Dang.

A

It's a lot of money.

B

Yeah. So be on the lookout. These are, you know, somebody sends you a box of rocks, Right.

A

It can happen to you because it's happened to me.

C

Yeah.

B

All right, well, we will have a link to that story in the show notes. Joe, Maria, it is time to move on to our catch of the.

C

Dave, our catch of the day comes from the scambait subreddit. The title of this one is Jessica Sometimes I Just can't be Bothered with these idiots. Actually, I guess it's Jessica Sometimes I Just can't be Bothered with these idiots.

B

That's right. The implication is that Jessica is the idiot, I think.

C

Right. Yeah.

B

So I think what I'd like to do here is have Maria be Jessica.

C

All right.

B

And Joe, you be responding to Jessica.

C

Okay.

B

And I think part of what makes this one so entertaining as I read it, is the cadence and perhaps acceleration of it.

A

Okay, which side is which? I'm looking through these.

B

It starts out with Jessica.

C

Right? Oh, God.

A

That's all Jessica.

C

Yeah, right.

A

Oh, my God.

C

I don't have any reading to do until the bottom of the first slide.

B

Take a deep breath, Maria.

A

Do you want me to go through this fast? You want me to just, like, speed run it?

B

Yeah.

A

Yeah. Okay. Hi. How are you doing? Are you there? Do you still remember me? Are you there? I lost my phone. That's why I have not been able to reach you since all these days. Why are you not writing my message without replying me? Are you there? Hi. I don't know why you don't want to reply me. We always talk on TikTok. I don't know why you're not replying me again.

C

I Have no idea who you are. But the reason I wasn't replying is because you were messaging me at 3am

A

I am so sorry.

C

I don't think you were. I don't use TikTok.

A

I mean Facebook.

C

I don't use Facebook either.

A

I'm driving. That's why Instagram.

C

You shouldn't. You shouldn't drive in text. It's dangerous. I don't have. I have no followers on Instagram.

A

Yes, thank. I am going to park now. You followed me on Instagram. We are able to talk. I will have showed you tonight because I lost my phone.

C

No, I didn't. I don't follow anyone on Instagram.

A

I even have your picture on my former phones.

C

I don't think you do since I haven't posted any pictures on Instagram.

A

I followed you on Instagram. You did not follow me. I followed you in a message you then and you reply me.

C

No one follows me on Instagram.

A

I wish I have my phone with me. I will have showed you our chatting.

C

Because I don't use Instagram before I lost my phone.

A

We have been talking since last two months. I think.

C

I don't think so. I don't talk to anyone besides my family.

A

I am sure of what I'm talking. It's because you don't remember me again and I understand.

C

I don't remember you because I don't know you.

A

I'm looking for a way to log in my Instagram but I can't remember the password again. I will have showed you our chatting. How was your night?

C

Good luck. Since I don't use Instagram, I don't use social media. We aren't allowed to here.

A

Really?

C

Yep.

A

If you don't use social media, how did I get your number?

C

Exactly. How did you get my number?

A

You gave it to me.

C

No, I didn't. I'm 16 and don't give my number out to anyone.

A

The day you gave it to me in the evening, I lost my phone. Can I see a picture of you?

C

I have never given my number out. No, I don't know who you are.

A

If you don't remember me again, no problem.

C

Lol. I have never spoken to you before in my life.

A

Can I see a picture of you so I can know if I'm right or wrong?

C

No. I told you, I'm 16. I don't share pictures.

A

I can't believe it. You are not 16 years old. The man that gave me this number is a matured man, not a small boy.

C

Well, believe whatever you want because it wasn't me that gave you this number. I've only had this number for less than a week.

A

Okay, no problem.

C

Yep. Goodbye.

A

Okay. Are you not from Australia?

C

I'm not telling you where I'm from. I don't talk to strangers.

A

Okay, I know you're lying, but there's no problem.

C

Whatever. Go away. I don't talk to strangers. You know nothing about me. I've had this number less than a week and it's only so I can talk to my dad. So you don't pretend you know me.

A

I know you. I am not pretend you don't know me. I know you.

C

Nope, sorry. You don't know me.

A

I know you.

C

Whatever.

A

You are pretending you don't know me. Maybe because of your wife. She's with you.

C

What? Lmao. I'm at school right now. My friends are getting a laugh out of this. Why don't you send me some pictures? They'll get a bigger laugh out of that.

A

Are you kidding me?

C

L Ameo.

B

Oh, go for it.

A

This keeps going.

B

Yeah, well, we can wrap it up there.

C

It starts dragging down into the gutter there. Good read though.

B

Yeah.

A

Wow, this goes on a long.

C

I mean, this person is insistent, aren't they? I mean, they're just keep pounding this person, trying to get them to send them a picture.

B

Yeah, I don't know which of these people. I mean, they're both. It seems like both of these people are a bit of a menace.

C

Yeah. I don't know. The 16 year old might actually just be a 16 year old.

B

Yeah.

C

You know what? 16 year old boy isn't a menace. That's true.

B

Has all the time in the world. This is paying attention in class. Just what else am I going to do today?

A

Oh, what is Bobby drop tables doing in calculus? Well, he's. He's engaging with a bot, I guess, and really enjoying himself. I'm not sure.

B

Yeah, yeah, absolutely. All right, well, we will have a link to that in the show notes and if there is something you'd like us to consider for the show, please email us. It's hackinghumans2k.com. Most environments trust too much and attackers know it. Threatlocker enforces default deny at execution, blocks unknown apps and limits what trusted apps can do. Stop ransomware at the source. Get your demo@threatlocker.com N2K. And that is our show, brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Buettner.

C

I'm Joe Kerrigan.

A

And I'm Maria Vermazes.

B

Thanks for listening.