Hacking Humans — “Trust me, I’m legit.”
Podcast by N2K Networks
Date: February 5, 2026
Episode Overview
This episode dives deep into the evolving world of social engineering, deception, and cyber crime—especially focusing on how trust can be weaponized. The hosts (Dave Bittner, Joe Kerrigan, with Michelle Kellerman filling in for Maria Varmazes) examine case studies ranging from audacious financial frauds to cutting-edge phishing tactics. The stories serve as warnings about the consequences of misplaced trust, the sophistication of fraudsters, and the critical need for always-on due diligence in the face of social engineering.
Key Discussion Points & Insights
1. Opening Banter & Audience Engagement
Time: 00:14–09:38
- Chicken Chronicles: Joe provides a quirky, personal update about his backyard chickens, delighting listeners with anecdotes about egg production in winter, chicken care, and the rising “cost per egg” of his hobby.
- Notable quote (Joe, 04:06): “Which brings the average cost per egg down to about $400.”
- Humorous debate about the anatomical details of chickens, fire safety concerns with heat lamps, and the value of being a “friend with chickens” versus owning them.
- Takeaway: Even in tech-centric podcasts, personal stories keep it human and relatable.
2. The Fraudster Who Never Quit: The Nick Patel Saga
Time: 09:38–21:37
- Key Story: Joe details the multi-year, multi-layered con run by Nikesh “Nick” Patel, from creating a fake financial company to manufacturing entire loan portfolios used to defraud institutions.
- Steps in the Scheme:
- Patel founded First Farmers Financial, fabricated $20 million in “assets,” and created fake documents.
- Secured USDA loan guarantees and sold fabricated loans (totaling $179 million) to Pennant Management, a firm that failed to thoroughly verify his claims.
- Escalation & Fallout:
- Once Pennant noticed inconsistencies and no loan payments, the FBI was notified. Patel was arrested and Pennant Management collapsed.
- Notable quote (Joe, 14:03): “He ruined this company. Right, Nick.”
- But Wait, There’s More: Even after pleading guilty and while awaiting sentencing, Patel invented a new persona and conned Farmer Mac—a government-backed lending agency—out of $20 million.
- Before sentencing, attempted to flee to Ecuador but was intercepted by the FBI.
- While in prison, Patel and his wife orchestrated yet another multimillion-dollar fraud involving the USDA.
- When caught, authorities found 3,000 pages of fraud documentation in Patel’s cell.
- Sentencing: Patel is currently serving over 53 years; his wife received 51 months.
- Social Engineering Angle: The con artist’s smooth-talking, convincing documentation, and exploitation of institutional trust was at the crux.
- Notable quote (Michelle, 18:57): “When I bought my house, I felt like I had to do a blood pact and dental impressions to get my mortgage. [But] here they just said, ‘Yeah, you’re cool!’”
- Key Lesson: Fraudsters look legitimate by targeting precisely what due diligence checks expect—a dangerous vulnerability when institutions rubber-stamp without verification.
3. Breaking News: ShinyHunters’ High-Level Vishing/Phishing Campaigns on Okta (SSO) Targets
Time: 21:37–32:03
- Latest Attack Trends: Michelle shares insights into a rapidly unfolding attack campaign abusing Okta’s Single Sign-On (SSO) service.
- Attackers’ Tactics:
- Voice phishing (vishing) combined with painstakingly tailored phishing kits.
- Attackers register over 150 company-specific domains, perfectly mimicking login pages for Okta, Google, and Microsoft MFA solutions.
- After initial access, criminals enroll their own MFA devices for persistent access.
- Notable quote (Michelle, 24:10): “It’s a single point of failure—if you have access to the multi-factor authentication.”
- High-Value Targets: Financial institutions, healthcare, and banking are the primary victims; attackers go for gold, not “low-hanging fruit.”
- Running gag on ‘vishing’ terminology (25:35–26:29):
- Dave: “What’s the short important name for that, Joe?”
- Michelle: “It’s called vishing.”
- (Laughter and collective groaning about the proliferation of infosec lingo: vishing, smishing, quishing, etc.)
- Key Point: Attackers now consider sophisticated social engineering campaigns less “work” (and more effective) than writing new malware.
- Notable quote (Michelle, 29:06): “They’re willing to do all this extra work to just not use malware.”
- Protection Tips:
- Use physical MFA hardware tokens like YubiKey—these can’t be phished.
- Be wary of any “urgent” help desk calls or prompts; real help desks rarely call or ask for MFA via phone.
- Double-check all URLs, avoid following unexpected authentication links, and—if possible—verify face-to-face or through known, separate channels.
4. Phishing for Password Managers: The LastPass Scam
Time: 32:03–39:42
- Campaign Overview:
- A sophisticated phishing campaign poses as LastPass, tricking users into urgently “backing up” their vaults (and handing over master passwords).
- Classic social engineering trigger: artificial urgency—“Do this in 24 hours or lose access.”
- Notable quote (Dave, 34:57): “Artificial time horizon—exactly.”
- Implications of Compromise:
- If an attacker gets your master password, they control everything in your vault: passwords, secure notes, credit cards, etc.
- Mitigation Advice:
- Use FIDO2-compliant hardware authenticators if supported by your password manager.
- As Michelle points out (35:28): “A common rule of thumb is companies will not prompt you for the action—they will wait for something to not work and then you call them.”
- Notable quote (Michelle, 39:01): “Some days it’s like I’m one poorly timed MFA request away from a bad mood!”
- Cultural theme: Even hosts note the aggravation and inconvenience of multi-factor authentication—but emphasize that security is worth the hassle.
5. Catch of the Day: Scambaiting Laughs
Time: 43:04–46:27
- Segment Highlights:
- Hosts enact hilarious text exchanges between a scambaiter and an attempted scammer (“Annie, the same Annie who beat my brother to death?” — “Yes.”)
- Another with a scammer trying to lure someone to a “Texas BBQ” that quickly devolves into insults when the target plays along.
- Michelle (46:06): “You would think doing the most irritating thing in existence…you’d have a better temper!”
- Segment Tone: Lighthearted, showing that turning the script on scammers can be cathartic and funny.
Memorable Quotes
- On social engineering due diligence:
- Joe (20:18): “Nobody from Pennant said, ‘Hey, why don’t we call the USDA and verify these numbers?’…If you do that, the USDA goes, ‘Nope, none of these are real numbers.’ Then you call the FBI before you send any money.”
- On the human factor:
- Michelle (28:25): “79% of attacks are now malware free. They are going through people. It’s not code. It’s not software. This just goes to show how far they’re willing to go to not do malware.”
Notable Timestamps
- Chicken Banter/Bonding: 00:14–09:38
- Patel Fraud Case Study: 09:38–21:37
- Okta SSO/Phishing Attack: 21:37–32:03
- LastPass Phishing Campaign: 32:03–39:42
- Audience Scambaiting Stories: 43:04–46:27
Key Takeaways & “Lessons Learned”
- Trust, not Technology, is the Real Target: Across all stories, attackers weaponized trusted procedures (loans, single sign-on, password resets) and targeted the people or processes most likely to assume “everything’s fine.”
- Due Diligence is Non-Negotiable: Even large organizations can fall victim if they only check boxes, not facts.
- Physical (Hardware) MFA is King: Every cyber expert on the show emphasized this. Phishing campaigns grow more convincing; physical keys are nearly impossible to steal online.
- Help Desks Don’t Cold-Call You for Urgent MFA: If someone pressures you via phone or urgent prompts, always verify through a separate, trusted channel—in person if possible.
- Adversaries are Adaptive: Attackers now orchestrate malware-free attacks using highly credible social engineering rather than technical exploits.
- Humor Helps: Making light of scams—when possible—diffuses the tension and educates in engaging ways.
Episode in a Nutshell
This episode, brimming with expert storytelling and camaraderie, blends technical analysis with humor and practical advice. Whether discussing multimillion-dollar frauds or the latest phishing kits, the central lesson rings true: No matter the sophistication of tools, social engineering exploits human trust and system assumptions. Vigilance, hardware MFA, and an ounce of skepticism are more vital than ever.
