Hacking Humans – “The Fine Print of Fraud”

Podcast: Hacking Humans by N2K Networks

Episode Date: April 2, 2026

Hosts: Maria Varmazes (A), Joe Kerrigan (B), special guest Michelle Kellerman (C)

Overview

This episode dives into new and evolving techniques in social engineering and cyber fraud, unpacking how criminals leverage “the fine print” of digital trust to run sophisticated scams. Hosts Maria Varmazes and Joe Kerrigan are joined by Michelle Kellerman to analyze topics ranging from email bombing to industrial-scale crypto fraud and home title scams. The team also highlights how irritation and fear are emotion-driven vectors for attack, weaving in practical response strategies, personal anecdotes, and some not-so-impressive phishing attempts.

Key Topics and Insights

1. Email Bombing and Subscription Bombing Attacks

[00:59–08:46] Listener Story & Discussion

• Listener Bruce’s Experience:
  A volunteer helping seniors describes an hour-long flood of spam into his Gmail, possibly a form of “email bombing” (subscription bombing) – potentially retribution for cyber events (e.g., attacks in Iran).

• How It Works:

  • Email bombing floods a victim’s inbox with hundreds or thousands of automated emails, often using variations with inserted periods in Gmail addresses.
  • The goal can be to “hide” a legitimate email (e.g., password reset, transaction alert) in a deluge of noise.
  • Can serve as the opening to follow-on social engineering, like fraudulent phone calls claiming to help.
  • Clicking ‘unsubscribe’ in these spam emails can launch further attacks.

• Tools and Tips Discussed:

  • Gmail quirks: Periods don’t change the address, and you can append “+something” to sort or track signups.
  • Key advice:
    • Change passwords for any possibly compromised account.
    • Watch for suspicious transactions.
    • Don’t click unsubscribe links in spam.
    • Prepare for phishing phone calls after such attacks.

• Memorable Quote:
  “It’s like a DDoS attack, almost.”
  – Maria Varmazes [04:39]

2. Industrial-Scale Cryptocurrency Fraud & Government Sanctions

[09:34–18:31] Joe’s Story: Sanctions & Scam Centers

• Case Study:
  UK sanctions against a Chinese crypto marketplace (“Jinbi”/Zinbi) for enabling and profiting from scam centers in Southeast Asia.

  • Tracked by Chainalysis: $20 billion processed in 4 years.
  • Tied to “industrial-scale scam center compounds” with documented human trafficking (victims forced to work scams).
  • Sanctions target scam infrastructure (“the backbone”), like payment channels and laundering networks, aiming to disrupt operations rather than just prosecuting individuals.

• Global Scope:

  • These scams launder “several countries’ GDPs” worth of criminal money annually ([13:43]).
  • Even asset seizures are limited by the decentralized and cross-jurisdictional nature of crypto.

• Regulatory Limits:

  • Regulating only exchanges, as crypto wallets and other infrastructure can be redeployed elsewhere.
  • Chinese capital controls ($50k outbound transfer limit) have driven money laundering and underground crypto schemes.

• Quotes:
  “So much money… half a trillion dollars in global fraud. And again, that’s just what we know about.”
  – Joe Kerrigan [13:56]

  “Dirty money… we can’t even calculate the number as a money coming from... it’s so much more to everything.”
  – Michelle Kellerman [13:47]

3. Title Fraud: “House Stealing” Scams

[18:44–26:18] Michelle’s Story: LA Home Title Fraud

• The Scheme:
  FBI arrests LA ring for “house stealing” targeting older Americans with fully paid-off homes. Using stolen identities and publicly accessible records, attackers take out fraudulent loans using these homes as collateral.

  • $17 million sought; $6 million fraudulently obtained since 2022.
  • Victims often unaware until foreclosure notices or legal action.

• Why It Works:

  • Public property records + identity theft = weaponized for fraud.
  • Insufficient bank/lender due diligence.

• Victim Recourse & Prevention:

  • Title insurance typically covers past, not ongoing, fraud.
  • Legislative fixes are emerging (e.g., Maine proposing scam victims shouldn’t be taxed on stolen funds).
  • “Just because your house is paid off doesn’t mean you have to stop paying attention to it.”
    – Maria Varmazes [25:07]

• Insightful Moments:
  “You’re gonna give a house loan with a fake ID and email address? 20-year olds trying to sneak into a bar can do that! What are you doing?”
  – Michelle Kellerman [23:10]

  “From my perspective, that is not my problem. You guys let somebody take out a fraudulent loan... go figure this out and stop bothering me.”
  – Joe Kerrigan [22:58]

4. Captcha Scams & “Irritation as an Attack Vector”

[27:38–32:37] Maria’s Story: Captcha Scam & Emotional Manipulation

• The Con:
  Victims land on a fake Captcha page (mimicking Cloudflare), asked to press a key sequence (e.g., Windows+R, Ctrl+V, Enter), which surreptitiously launches malware (SteelC) via pasted PowerShell script.

  • Targets gaming accounts, crypto wallets, other sensitive data.
  • Leverages users’ “irritation” over constant security checks and complex captchas.

• Psychology:

  • Modern internet security “weirdness” (strange captchas, multi-factor requests) lowers the bar for what feels suspicious.
  • Attackers exploit not only fear but also user annoyance to shortcut vigilance.

• Quotes:
  “If you’re just hitting random keys because a website tells you to, please don’t do that. Captchas should never be having you hit random keys.”
  – Maria Varmazes [29:52]

  “Fear is a very powerful feeling in this game. So is irritation.”
  – Michelle Kellerman [06:47]

5. Catch of the Day: Phishing Attempt Analysis

[33:00–36:47] Joe’s Catch from Reddit

• Exhibit:
  Poorly crafted Medicare phishing email—centered text, clunky wording, and a suspicious link masquerading as “login.gov.”

  • “Dear Medicare Representative, I am writing regarding my access to my online government services accounts...”
  • Link points to a dubious Cloudflare URL, not actual government site.

• Panel’s Take:

  • Amateur-hour effort, possibly generated by AI.
  • Overly specific targeting (“Medicare Representative”) unnecessarily limits effectiveness.
  • Becomes an opportunity to laugh and learn.

• Memorable One-Liners:
  “If you’re gonna try and steal my stuff, like, put in some effort!”
  – Michelle Kellerman [36:05]

  “It’s lazy. Lazy. It’s messy. Lazy.”
  – Maria Varmazes [36:34]

Notable Quotes

• On social engineering:
  “You’re annoying me. I’m not thinking you’re suspicious, I’m thinking you’re annoying. Yeah, it works.”
  – Michelle Kellerman [06:57]

• Industrial fraud scale:
  “I’m having a hard time with the scope of just how much dirty money there is that we didn’t know about…”
  – Michelle Kellerman [13:47]

• On victim recourse:
  “Just because your house is paid off doesn’t mean you have to stop paying attention to it.”
  – Maria Varmazes [25:07]

• Emotional attack vectors:
  “Because their crimes are fictitious. My irritation is real.”
  – Michelle Kellerman [32:16]

• On poor phishing:
  “Go start a lemonade stand. Do something productive with your life.”
  – Michelle Kellerman [36:39]

Timestamps for Key Segments

• Email Bombing / Subscription Attack Discussion: [01:00–08:46]
• UK Crypto Sanction Story / Industrial Scam Centers: [09:34–18:31]
• LA Title Fraud / House Stealing Scam: [18:44–26:18]
• Captcha Malware Scam & User Psychology: [27:38–32:37]
• Catch of the Day – Phishing Breakdown: [33:00–36:47]

Additional Resource

• Charity Plug:
  Blood Cancer United (formerly Leukemia and Lymphoma Society) fundraiser in memory of a co-host’s friend’s child now in remission. Link in show notes. [37:36–38:32]

Takeaways

• Digital trust is easily abused; so are human emotions like fear and irritation.
• Vigilance against weird or annoying cyber events is crucial.
• Even institutions (banks, government) struggle to keep up with fraud methods—consumers can only do so much.
• If you encounter mass spam, sudden loan notices, or fishy “verification requests,” pause and investigate—these are classic hooks for financial and identity fraud.
• Don’t click unsubscribe in spam, don’t execute random key combos, and scrutinize always (even mediocre) phishing attempts.

For more in-depth stories and advice, check out the episode’s show notes and linked resources.