Trust me, I’m legit. - Hacking Humans

Transcript

A (0:02)

You're listening to the Cyberwire Network, powered by N2K.

B (0:14)

Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Kerrigan. Hey there, Joe.

C (0:30)

Hi, Dav.

B (0:32)

And our N2K colleague and host of the T minus Space Daily podcast, Maria Vermazes, is at a conference this week. She's actually in Florida at the Space Week conference.

C (0:41)

That must be very nice.

B (0:42)

I think that's a pretty cool place. Pretty cool conference to be at that time.

A (0:46)

The Artemis launch window opening this week.

B (0:48)

That's right. That's right.

C (0:49)

I just want to be in Florida where it's warm.

B (0:51)

Right, right. Well, filling in for Maria this week is our friend of the show, Michelle Kellerman. Hello, Michelle.

A (0:58)

Hi, Dave. And hi, Joe.

B (0:59)

We've got some good stories to share this week, but first, let's get into our follow up.

C (1:04)

Joe, Big chicken news. Dave.

A (1:07)

I was so excited when I saw this.

C (1:09)

Yeah, we have our first eggs. This is a lot earlier than I was expecting. I think you and I have discussed this offline, not online. Yeah. Oh, have we? When I was gonna. I was not planning on getting eggs until, like, April.

B (1:23)

March.

C (1:24)

April of this year. But one of our hens, and I believe it is my favorite hen. Snugglebug.

B (1:29)

Snuggle buggle bug. Never disappoints. Right. That's all the snuggling. Yes.

Summary

Hacking Humans — “Trust me, I’m legit.”

Podcast by N2K Networks
Date: February 5, 2026

Episode Overview

This episode dives deep into the evolving world of social engineering, deception, and cyber crime—especially focusing on how trust can be weaponized. The hosts (Dave Bittner, Joe Kerrigan, with Michelle Kellerman filling in for Maria Varmazes) examine case studies ranging from audacious financial frauds to cutting-edge phishing tactics. The stories serve as warnings about the consequences of misplaced trust, the sophistication of fraudsters, and the critical need for always-on due diligence in the face of social engineering.

Key Discussion Points & Insights

1. Opening Banter & Audience Engagement

Time: 00:14–09:38

Chicken Chronicles: Joe provides a quirky, personal update about his backyard chickens, delighting listeners with anecdotes about egg production in winter, chicken care, and the rising “cost per egg” of his hobby.
- Notable quote (Joe, 04:06): “Which brings the average cost per egg down to about $400.”
Humorous debate about the anatomical details of chickens, fire safety concerns with heat lamps, and the value of being a “friend with chickens” versus owning them.
Takeaway: Even in tech-centric podcasts, personal stories keep it human and relatable.

2. The Fraudster Who Never Quit: The Nick Patel Saga

Time: 09:38–21:37

Key Story: Joe details the multi-year, multi-layered con run by Nikesh “Nick” Patel, from creating a fake financial company to manufacturing entire loan portfolios used to defraud institutions.
Steps in the Scheme:
- Patel founded First Farmers Financial, fabricated $20 million in “assets,” and created fake documents.
- Secured USDA loan guarantees and sold fabricated loans (totaling $179 million) to Pennant Management, a firm that failed to thoroughly verify his claims.
Escalation & Fallout:
- Once Pennant noticed inconsistencies and no loan payments, the FBI was notified. Patel was arrested and Pennant Management collapsed.
- Notable quote (Joe, 14:03): “He ruined this company. Right, Nick.”
- But Wait, There’s More: Even after pleading guilty and while awaiting sentencing, Patel invented a new persona and conned Farmer Mac—a government-backed lending agency—out of $20 million.
- Before sentencing, attempted to flee to Ecuador but was intercepted by the FBI.
- While in prison, Patel and his wife orchestrated yet another multimillion-dollar fraud involving the USDA.
- When caught, authorities found 3,000 pages of fraud documentation in Patel’s cell.
Sentencing: Patel is currently serving over 53 years; his wife received 51 months.
Social Engineering Angle: The con artist’s smooth-talking, convincing documentation, and exploitation of institutional trust was at the crux.
- Notable quote (Michelle, 18:57): “When I bought my house, I felt like I had to do a blood pact and dental impressions to get my mortgage. [But] here they just said, ‘Yeah, you’re cool!’”
Key Lesson: Fraudsters look legitimate by targeting precisely what due diligence checks expect—a dangerous vulnerability when institutions rubber-stamp without verification.

3. Breaking News: ShinyHunters’ High-Level Vishing/Phishing Campaigns on Okta (SSO) Targets

Time: 21:37–32:03

Latest Attack Trends: Michelle shares insights into a rapidly unfolding attack campaign abusing Okta’s Single Sign-On (SSO) service.
Attackers’ Tactics:
- Voice phishing (vishing) combined with painstakingly tailored phishing kits.
- Attackers register over 150 company-specific domains, perfectly mimicking login pages for Okta, Google, and Microsoft MFA solutions.
- After initial access, criminals enroll their own MFA devices for persistent access.
Notable quote (Michelle, 24:10): “It’s a single point of failure—if you have access to the multi-factor authentication.”
High-Value Targets: Financial institutions, healthcare, and banking are the primary victims; attackers go for gold, not “low-hanging fruit.”
Running gag on ‘vishing’ terminology (25:35–26:29):
- Dave: “What’s the short important name for that, Joe?”
- Michelle: “It’s called vishing.”
- (Laughter and collective groaning about the proliferation of infosec lingo: vishing, smishing, quishing, etc.)
Key Point: Attackers now consider sophisticated social engineering campaigns less “work” (and more effective) than writing new malware.
- Notable quote (Michelle, 29:06): “They’re willing to do all this extra work to just not use malware.”
Protection Tips:
- Use physical MFA hardware tokens like YubiKey—these can’t be phished.
- Be wary of any “urgent” help desk calls or prompts; real help desks rarely call or ask for MFA via phone.
- Double-check all URLs, avoid following unexpected authentication links, and—if possible—verify face-to-face or through known, separate channels.

4. Phishing for Password Managers: The LastPass Scam

Time: 32:03–39:42

Campaign Overview:
- A sophisticated phishing campaign poses as LastPass, tricking users into urgently “backing up” their vaults (and handing over master passwords).
- Classic social engineering trigger: artificial urgency—“Do this in 24 hours or lose access.”
- Notable quote (Dave, 34:57): “Artificial time horizon—exactly.”
Implications of Compromise:
- If an attacker gets your master password, they control everything in your vault: passwords, secure notes, credit cards, etc.
Mitigation Advice:
- Use FIDO2-compliant hardware authenticators if supported by your password manager.
- As Michelle points out (35:28): “A common rule of thumb is companies will not prompt you for the action—they will wait for something to not work and then you call them.”
- Notable quote (Michelle, 39:01): “Some days it’s like I’m one poorly timed MFA request away from a bad mood!”
Cultural theme: Even hosts note the aggravation and inconvenience of multi-factor authentication—but emphasize that security is worth the hassle.

5. Catch of the Day: Scambaiting Laughs

Time: 43:04–46:27

Segment Highlights:
- Hosts enact hilarious text exchanges between a scambaiter and an attempted scammer (“Annie, the same Annie who beat my brother to death?” — “Yes.”)
- Another with a scammer trying to lure someone to a “Texas BBQ” that quickly devolves into insults when the target plays along.
- Michelle (46:06): “You would think doing the most irritating thing in existence…you’d have a better temper!”
Segment Tone: Lighthearted, showing that turning the script on scammers can be cathartic and funny.

Memorable Quotes

On social engineering due diligence:
- Joe (20:18): “Nobody from Pennant said, ‘Hey, why don’t we call the USDA and verify these numbers?’…If you do that, the USDA goes, ‘Nope, none of these are real numbers.’ Then you call the FBI before you send any money.”
On the human factor:
- Michelle (28:25): “79% of attacks are now malware free. They are going through people. It’s not code. It’s not software. This just goes to show how far they’re willing to go to not do malware.”

Notable Timestamps

Chicken Banter/Bonding: 00:14–09:38
Patel Fraud Case Study: 09:38–21:37
Okta SSO/Phishing Attack: 21:37–32:03
LastPass Phishing Campaign: 32:03–39:42
Audience Scambaiting Stories: 43:04–46:27

Key Takeaways & “Lessons Learned”

Trust, not Technology, is the Real Target: Across all stories, attackers weaponized trusted procedures (loans, single sign-on, password resets) and targeted the people or processes most likely to assume “everything’s fine.”
Due Diligence is Non-Negotiable: Even large organizations can fall victim if they only check boxes, not facts.
Physical (Hardware) MFA is King: Every cyber expert on the show emphasized this. Phishing campaigns grow more convincing; physical keys are nearly impossible to steal online.
Help Desks Don’t Cold-Call You for Urgent MFA: If someone pressures you via phone or urgent prompts, always verify through a separate, trusted channel—in person if possible.
Adversaries are Adaptive: Attackers now orchestrate malware-free attacks using highly credible social engineering rather than technical exploits.
Humor Helps: Making light of scams—when possible—diffuses the tension and educates in engaging ways.

Episode in a Nutshell

This episode, brimming with expert storytelling and camaraderie, blends technical analysis with humor and practical advice. Whether discussing multimillion-dollar frauds or the latest phishing kits, the central lesson rings true: No matter the sophistication of tools, social engineering exploits human trust and system assumptions. Vigilance, hardware MFA, and an ounce of skepticism are more vital than ever.