Brad Deflin on How to Stay Safe and Private Online | EP 639 - Passion Struck with John R. Miles

Summary7 min read

Passion Struck with John R. Miles – Episode 639: Brad Deflin on How to Stay Safe and Private Online

Episode Overview

In Episode 639 of Passion Struck, host John R. Miles engages in an urgent and enlightening conversation with cybersecurity expert Brad Deflin, founder of Total Digital Security. This episode delves deep into the escalating threats of cybercrime in the digital age, emphasizing the necessity of intentional personal security to protect one’s life and achievements. Brad shares his expertise on the evolving landscape of cyber threats, the rise of AI-driven scams, and practical steps listeners can take to safeguard their digital lives.

1. Introduction to the Episode

John R. Miles opens the episode by highlighting the theme of the month's series—the power to change, focusing on evolving not just habits but also identity, relationships, and personal presence in the world. Unlike typical episodes that center on personal transformation, this episode pivots to the critical aspect of protecting one’s digital life.

Quote:

“Transformation isn't just about becoming someone new. It's also about safeguarding the life you've worked so hard to create.”
— John R. Miles [04:05]

2. Guest Introduction and Background

Brad Deflin is introduced as a cybersecurity authority who transitioned from a successful financial career to address the growing cyber risks faced by individuals and families. His company, Total Digital Security, focuses on providing comprehensive cybersecurity solutions tailored for personal use.

Quote:

“Cybersecurity for life”—our mission is to help people protect themselves intentionally in the digital age.”
— Brad Deflin [10:56]

3. The Evolution of Cybercrime and Personal Security

Brad recounts his pivotal moment in 2012 while working at JP Morgan, where he observed a shift from enterprise-level cybercrimes to targeting individuals. This realization led him to recognize the democratization of cyber risk, where anyone connected to the internet becomes a potential target.

Quote:

“The mobile revolution was all about people wanting to use their personal computer, their device, their phone wherever they were. That kicked off this enormous cybercrime epidemic.”
— Brad Deflin [05:40]

4. Current State of Cybercrime and Alarming Statistics

Brad presents staggering statistics to underline the severity of the cybercrime epidemic:

ID Theft Frequency: Every 22 seconds, a U.S. citizen falls victim to identity theft.
Economic Impact: Cybercrime now costs approximately 1% of global GDP, translating to around $10.5 trillion in damages.
Growth Rate: Cybercrime incidents are increasing at a rate of 20-25% annually.

Quote:

“70 to 80% of cyber damages are now consumer-focused, growing even faster than the overall cybercrime pie.”
— Brad Deflin [16:50]

5. The Rise of the Smishing Triad and AI-Driven Cyber Threats

A significant portion of the discussion centers on the emergence of the Smishing Triad, a sophisticated group leveraging AI to execute multi-vector phishing attacks. These attacks combine emails, text messages (smishing), and phone calls to deceive victims with a success rate of approximately 60%.

Quote:

“The Smishing Triad uses AI to adjust exploits in real-time, making their attacks incredibly convincing and efficient.”
— Brad Deflin [33:35]

Brad emphasizes that these attacks are not the work of lone hackers but organized crime syndicates, potentially supported by state actors like the Chinese government, creating a parallel economy driven by cybercrime.

6. Personal Anecdotes and Real-World Examples

Brad shares real-life examples to illustrate the dangers:

Voice Mimicking: A client’s voice was replicated using AI to authorize a fraudulent $400,000 transfer.
Elderly Victims: Retirees, particularly in communities like Florida's Villages, are prime targets due to their trust and lack of technological savvy.

Quote:

“We have clients in their 80s and 90s who have lost their life savings because the exploits were so sophisticated they didn’t realize what was happening until it was too late.”
— Brad Deflin [41:18]

7. Responsibility: Individual vs. Institutional Protection

The conversation shifts to the diminishing role of institutions in safeguarding individual cyber security:

Historical Support: Previously, banks and institutions would assist victims in recovering lost funds.
Current Reality: Increasingly, institutions are shifting the responsibility to individuals, urging them to adopt proactive security measures.

Quote:

“It's only realistic and healthy to find autonomy, take the initiative, and be intentional about not relying on the bank or any third party.”
— Brad Deflin [43:16]

8. Cultural Aspects of Cybersecurity

Brad and John discuss the cultural challenges in cybersecurity, particularly among senior executives and older generations who may not prioritize or understand the importance of robust cyber practices.

Quote:

“Cybersecurity for life—this isn’t about when you're in the office, it’s an everyday, all-day experience.”
— Brad Deflin [48:02]

Brad highlights that human error remains the weakest link, often exacerbated by a lack of awareness and insufficient cultural emphasis on security protocols.

9. Practical Advice: Three Non-Negotiable Steps to Protect Digital Life

Brad outlines three essential steps to mitigate cyber risks:

a. Privatize Your Email

Move away from free email services where personal data is commoditized.
Own your email information to reduce vulnerability.

Quote:

“Privatizing your email and getting off the grid can mitigate your risk tremendously.”
— Brad Deflin [50:34]

b. Secure Your Devices

Utilize enterprise-grade antivirus, data loss protection, and intruder protection.
Implement comprehensive device-oriented security measures.

c. Protect Your Network

Use modern VPNs to encrypt all internet traffic, safeguarding data across all networks, whether at home or public places like cafes and airports.

Quote:

“Combined, privatizing email, protecting your devices, and securing the networks creates an ecosystem for cyber security for life.”
— Brad Deflin [50:34]

10. Enhancing Security with Multi-Factor Authentication (MFA) and Password Managers

Brad delves into the importance of using MFA and password managers:

MFA: Adds an extra layer of security by requiring multiple verification methods, significantly reducing the risk of unauthorized access.

Quote:

“Any account that makes any difference to you should have MFA enabled. It will make your life much more secure.”
— Brad Deflin [22:39]
Password Managers: Encourage the use of robust, unique passwords for each account, managed efficiently through password managers like 1Password.

Quote:

“A password manager is essential. It not only secures your passwords but also makes your online life vastly more convenient.”
— Brad Deflin [27:08]

11. The Imperative of Critical Thinking and Continuous Vigilance

Brad emphasizes that technology alone cannot combat cyber threats. Critical thinking and vigilance are paramount in identifying and mitigating potential risks.

Quote:

“Your critical thinking skills and deliberate process of thought are going to have to come forward, because it’s going to be really convincing.”
— Brad Deflin [36:49]

12. Conclusion and Final Thoughts

As the episode wraps up, Brad and John reiterate the importance of living intentionally in the digital realm. Protecting one’s digital life is not just a technical necessity but a foundational aspect of personal integrity and intentional living.

Quote:

“Living intentionally means protecting intentionally, especially in the digital world.”
— Brad Deflin [54:06]

John summarizes the key takeaways, urging listeners to recognize themselves as targets, understand the weaponization of AI in cyber threats, and adopt practical security measures to safeguard their digital existence.

Key Takeaways for Listeners

Recognize Your Value as a Target: Understand that in the digital age, everyone is a potential target for cybercriminals.
AI-Driven Threats Are Real: Stay informed about the sophistication of AI-powered scams like the Smishing Triad.
Implement Fundamental Security Measures: Use privatized email services, secure your devices with robust antivirus solutions, and protect your network with reliable VPNs.
Adopt MFA and Password Managers: Enhance security by enabling multi-factor authentication and managing passwords through trusted managers.
Prioritize Critical Thinking: Develop and maintain vigilance to identify and respond to potential cyber threats effectively.
Embrace Personal Responsibility: Institutions are shifting the burden of cybersecurity to individuals; take proactive steps to protect yourself and your family.

Final Words from John R. Miles

John concludes the episode by encouraging listeners to take immediate action based on the insights shared. He invites them to leave reviews, subscribe for more strategies, and continue their journey towards intentional living with enhanced digital security.

Quote:

“Live boldly, lead with intention, and protect the life you've worked so hard to create.”
— John R. Miles [55:10]

For More Information:

Brad Deflin and Total Digital Security: Visit TotalDigitalSecurity.com to learn more and secure your digital life.
Follow Passion Struck: Subscribe on Apple Podcasts, Spotify, or your favorite platform for new episodes every Tuesday, Thursday, and Friday.

Stay Safe, Stay Intentionally Secure.

Loading summary

Transcript52 lines

[00:00]
John R. Miles
Coming up next on Passion Struck.
[00:02]
Brad Deflin
You have to be intentional to protect yourself in this digital age because nobody else is going to do it for you. The isp, your Internet provider, will not do it for you. They're trying to help with certain things. But the fact is your Internet provider is sucking up all your personal information with everything you do, back and forth. They're part of the game. You've got big tech, right, and big business constantly looking to suck up our personal information which invariably ends up in the wrong hands and goes sideways. Eventually you have the government that really has not been a proponent down to the individual level, certainly on a national level or an enterprise level or a military level, but not on a consumer individual. You must take the initiative yourself on behalf of yourself as a head of household for your family.
[01:07]
John R. Miles
Welcome to Passion Struck. Hi, I'm your host, John R. Miles. And on the show we decipher the secrets, tips and guidance of the world's most inspiring people and turn their wisdom into practical advice for you and those around you. Our mission is to help you unlock the power of intentionality so so that you can become the best version of yourself. If you're new to the show, I offer advice and answer listener questions on Fridays. We have long form interviews the rest of the week with guests ranging from astronauts to authors, CEOs, creators, innovators, scientists, military leaders, visionaries and athletes. Now let's go out there and become Passion Struck. Coming up next on Passion Struck. Welcome to episode 639 of Passion Struck. I'm your host, John Miles. And whether you're back for more or joining us for the first time, I am so glad that you're here. This month on the show, we're exploring the power to change, a series about evolving not just in your habits, but in your identity, your relationships, and how you show up in the world. Earlier this week in episode 637, I sat down with cultural psychologist Stephen Hyna to explore how our cultural programming silently shapes who we become. And in episode 638, Michelle Chalfant walked us through the power of emotional maturity and her adult cheer model for self leadership and inner healing. But what about the power to protect what you're building? Because let's face it, transformation isn't just about becoming someone new. It's also about safeguarding the life you you've worked so hard to create. That's why today's episode is a little bit different. Instead of a solo episode, I wanted to bring you this urgent conversation with cybersecurity expert Brad Deflin, Founder of Total Digital Security Very good friend of mine has used Brad's services in the past and thought his message is so profound that he suggested that I do this interview for the benefit of the Passion Start community. In a world where cyber threats are growing more personal, more invasive, and more invisible than ever before, Brad makes one thing clear. Cybersecurity isn't just a tech problem, it's a human one. Together we'll explore why digital risk is now a personal crisis. We go into how scammers are using AI to mimic voices and hijack trust. And most importantly, the three three steps you should take today to protect what you've built. This episode is a wake up call, but also an empowering toolkit. And if you're ready to go deeper into intentional living and everything we do here at Passion Struck, then subscribe to the Ignited Life. Then subscribe to our substack@theignitedlife.net for weekly insights. While you're there, join the Ignition Room, our members only community, and show your support of the community by wearing apparel from our merchandise line. You can also follow along on YouTube at either johnrmiles or passionstruck clips for full episodes and bonus content. Here's my urgent and eye opening conversation with Brad Deflin. Thank you for choosing passionstruck and choosing me to be your host and guide on your journey to creating an intentional life. Now let that journey begin. I am so excited today to work. Welcome Brad Defin to Passion Struck. Welcome Brad.
[04:38]
Brad Deflin
Glad to be here, John.
[04:40]
John R. Miles
As I talked about in my introduction, today isn't the typical episode that I do on the podcast, but I thought it was really important to bring you on today because I've personally lived the chaos of cybercrime and back when I was a senior executive at Lowe's, I was hired to deal with what at that time was the largest retail hacking incident of its kind. Not sure many of the Passion Struck listeners know that, so I know firsthand that the threat is real, it's evolving and on a human basis, it's deeply personal. So I think this is a good starting point. You walked away from a very successful financial career to build your company Total Digital Security. And what did you see as the shift that was coming before most did that made you leave that successful financial career?
[05:40]
Brad Deflin
So it was an aha moment. It was a sudden realization that the world, the Face of Risk, as I called it, was changing. When you are in the financial services business and you're dealing with ultra high net worth clients and families and family offices like Me, like I was, everything is about risk mitigation, risk management. And that's not just their investments, their stocks and bonds, but it's other elements of risk. And so we always wanted to be value added and bring up topics that weren't necessarily directly related to the market, but were related to our clients that in many cases would be targets in crimes that others might not be targets, like kidnapping, for example. And so I was at JP Morgan at the time, it was 2012, managing some of the bank's largest clients around the world, multi billion dollar families. And we had a series of incidents with the clients where I noticed a pattern for the very first time. And that was that they were being targeted by hackers for a criminal transaction, that is to fake them into sending them money, which was very different. That sounds obvious today, right? That's what happens and that's what we see every day, all day long. Back then, it was different. In 2012, cybercrime was an enterprise level problem. It was around theft of intellectual property. It was about corporate espionage, blackmail, in some cases, state actors, Pentagon, very large enterprises, not so much a transaction for criminal gain. These were called black hat escapades or exploits, if you would. This was a very personal thing and that was a little bit different. And it was happening at this tier because that's where the money was. But what we noticed with these clients is they were still using their AOL email accounts that they may have opened in 1996, or their Yahoo accounts or their MSN Hotmail accounts. While they were captains of industry in some cases, and they had the best IT departments ever in their companies, that was not transcending into their personal life. There were no defenses, there was no awareness. And I coined it the democratization of cyber risk. And what I meant was that those were the very first indications that there was a shift where it was going to begin focusing on anybody that was connected to the Internet. Because at that point in 2012, we, we all were, which was a new phenomenon. It was coined the mobile revolution. It was unpredicted by anybody. But when Steve Jobs pointed to his first iPhone and he said this changes everything, he was spot on. He wasn't talking about the iPhone necessarily. He was talking about a supercomputer in the palm of your hand connected to 5 or 6 billion others around the world. That's what changed. And people, the mobile revolution was all about people wanting to use their personal computer, their device, their phone, wherever they were, the subway, Starbucks, the hotel. They didn't want to have to come home. And turn on the computer under the desk and then get to work. So then we had clouds, and all of our information was dispersed and vulnerable. And that was really the moment that. That kicked off this enormous cybercrime epidemic that we see today. And so we noticed some of those fact patterns. We realized it was the start of something very big.
[09:44]
John R. Miles
And that's when we started the company on Passion Struck. We talk a lot about human flourishing and building an intentional life. And the reason that you're here is because of a listener of the show who had a personal experience that they brought to my attention, where because of a threat to them, they had to chase down their auto pays, they had to freeze accounts, reset passcodes, and it basically disrupted their life for almost two months. And I bring this up because that's who referred me to talk to you, and I thought it was important. But you go through all this trouble of creating a life with intention. You start building the life you want and creating this mass of wealth that you want to bring into your life. And so when you and I were talking about the need to do this episode, the thought to me was, you have to be intentional about how you protect it as well. So my question to you is, why do you believe cyber security in our own personal security is now a pillar of living intentionally?
[10:56]
Brad Deflin
What really attracted me to doing this podcast with you, besides having the mutual friend, the mutual client? When I looked into your podcast and understood where you were coming from and some of the value that you added to your listeners, I felt that it was very much aligned with the principles. And what we see is our mission here, which we describe as cybersecurity for life. Let's think about that a minute. Cybersecurity for life. Multiple innuendos there. And the point is that you have to be intentional to protect yourself in this digital age, because nobody else is going to do it for you. The isp, your Internet provider, will not do it for you. They're trying to help with certain things. But the fact is, your Internet provider is sucking up all your personal information with everything you do, back and forth. They're part of the game. You've got big tech, right? And big business constantly looking to suck up our personal information, which invariably ends up in the wrong hands and goes sideways. Eventually. You have the government that really has not been a proponent down to the individual level, certainly on a national level or an enterprise level or a military level, but not on a consumer individual. You must take the initiative yourself, on behalf of yourself as a head of household for your Family. As a person that works with a small group, we deal with family offices, for example, because again, nobody's going to do it for you. And if you think that the Internet service provider with their antivirus is going to help, or if you think that the little features, it's not. The perpetrators are so smart, are skilled at using state of the art technology for efficacy, that the only way you stand a chance in this hostile environment is to intentionally protect yourself, to take the responsibility on behalf of yourself and those that are counting on you to protect yourself. Because probabilities are very high that something can go wrong. And yes, when it does go wrong, recovering in two months is not bad. I've seen cases where it's taken two years to recover. There is a long tail to recovery. We can talk about that in a little bit. But my point is to get to where I believe you need to be in today's hostile environment, much less the future. With AI, you've got to take the first step, you've got to take the initiative, you've got to do some critical thinking and invest in protecting your personal information, having the privacy that you seek, and being able to enjoy everything the digital world has to offer, including the Internet and artificial intelligence. In peace, with a sense of peace. It takes an intentional effort to accomplish that.
[14:12]
John R. Miles
And I'm sure you see it on a everyday basis almost. But I have heard it from my parents and friends of my parents and friends of mine and other colleagues that they're hit by ID theft, financial fraud. In some cases, they're even being harassed by these perpetrators.
[14:35]
Brad Deflin
Right.
[14:35]
John R. Miles
From your view, how widespread is this epidemic and how much is it growing in magnitude?
[14:43]
Brad Deflin
We see it every day, all day. But at the end of the day or at the end of the week, we still shake our heads with, wow, this stuff is crazy. And it just keeps getting crazier. We just keep saying that over and over. But from a higher point of view, beyond what we do all day, every day, the current statistics are that somebody in the US has their ID stolen every 22 seconds. In the US, a citizen of ours has their identity stolen. That amounts to something between 50 and 75 billion dollars in losses. Those ID theft cases, according to the FBI, and according to the FBI, it's growing at a rate of 20 to 25% a year overall. Besides ID theft, cybercrime is now costing global GDP about 1%. About 1% of global GDP represents damages or damages represent about 1% of global GDP, which is almost 10 trillion dollars, our estimate, and damages just 18 months ago was six and a half trillion. That was adjusted by all the ones that run these numbers to ten and a half trillion now. So it's an enormous element when you put it together. And what's really interesting, John, and I think that has to be understood is that when we started in the business, 99% of these damages were enterprise state level damages. It wasn't even on the radar screen where the consumer damages are today. When you look at damages in its totality, about 70 to 80% of those damages are now consumer damages. The overall pie of damages and exploit is growing and growing, but the portion to consumers, individuals, everyday users of technology is even growing faster than the overall pie. And that brings us to where we are today.
[16:50]
John R. Miles
I think I shared with you that I have a very good friend who used to be the chief information security officer of a bank that was almost the size of JP Morgan Chase. My understanding is JP Morgan Chase is still the largest bank in the United States. This one was probably the second or third in term of size. And he shared with me candidly that on a weekly basis tens of millions of dollars would disappear out of people's accounts and that the government would come back in and fill it back up because they didn't want to create wide scale panic. Oftentimes the victim didn't even know it was gone before the bank replaced it. Do you think that's going on across all the banks and this is just something that most people aren't aware of?
[17:40]
Brad Deflin
I don't know. I don't have that inside knowledge. It doesn't surprise me. I wouldn't doubt it. I do have a sense that broadly the level of damages, the volume of damages has been under reported. I'm not sure exactly why. On one hand I think that if you can use a big company name in your headline, the headline is more interesting. I don't know. Or if you can say the exploit was $100 million and damages, that might be a better headline than I lost $10,000. Right. I don't know what the reason is, but we by all means feel that this is a massively under reported situation. Certainly in the United States I would tell you that next time you go to a retail branch at a bank, if anybody ever does that anymore, look to see where the line is. And you might see they call them the private banker or the local banker, where you might want to go in, talk about getting a mortgage, a car loan, whatever that line, to get into one of those private offices at your local branch, more often than not is a line of people that have just lost money, that have, are receiving texts that they don't know if they're real or not, are receiving emails and voicemails and they're very confused about what's happening and they need to talk to somebody about straightening it out. Those indicators tell me that we have an underreported situation here at the current time.
[19:25]
John R. Miles
I just closed on a house and I have to tell you a couple things are always nerve wracking for me. One is when you wire the money, going through those digits so many times to make sure that you're sending it to the right place, especially if it's a lot of money, but you push the button for as much as people have gone to online banking. I was shocked this last time how difficult it was to get an appointment in one of these branches. And I bank at well known bank that had probably seven or eight branch offices within about a 10 mile radiance from me. And I could only find one appointment on the day I needed to wire the money because they're all so busy. So I think maybe what you're saying, you're onto something. So for the average listener or average viewer of this, a lot of what we're talking about feels invisible until it's too late. What are some of the most overlooked ways people are exposing themselves every day without even realizing they're doing it?
[20:30]
Brad Deflin
You're right, it's a very abstract subject. People struggle to see in their mind's eye the risk, what's going on. It's very frustrating. Very unlike traditional crime. There really aren't forensics that you can speak of, or certainly not traditional forensics. We are not taught certain life skills. We're taught don't walk down the dark road, dark alley, don't cross a busy street. Right? But we're not talking, we're not taught necessarily about what's the right way to use social media, what's the art and science of using passwords, how do you optimize your browsers to defend yourself? Are you using MFA on every single account that you have? Have you transcended considering MFA an inconvenience to considering it? An empowering element of protecting yourself, an empowering element of taking the initiative and the intention to keep yourself safe on the Internet. So we try to talk to people in ways that they can build in their mind's eye the different elements that make a difference so that they can focus, they can pay attention and, and they can develop what we call critical thinking skills. But you have to Go back to the fundamentals. And anything you work with, you have to go back to the fundamentals. And the fundamentals here are, number one, email is a very popular attack vector. When you are at your inbox, you've got to be on your toes. You've got to treat emails as guilty until proven innocent. Right. And you've got to be really discriminating around how you treat your inbox. You've got to use good passwords. And I can talk about that in detail on how to use good. The art and science of passwords, if you want. John, you've got to use mfa.
[22:35]
John R. Miles
Okay, just before you go on, can you explain what MFA is in case.
[22:39]
Brad Deflin
Someone doesn't understand MFA2FA2 Factor Authentication. It all essentially refers to the same thing. And what it is, it's an added proof that you're the right person trying to get into that account. It assures through two methods that you're the right. Two separate, completely separate methods. One might be, well, they know the password. Okay. But do they also have the device they say they have with the phone number so they can send you a code? So if you entered your password on the website and you also got a text and entered the code that you got on your phone, that's two factors saying you're the right guy. Just adding that additional factor of getting that code mitigates the risk of somebody having stolen your password and getting into your email account immeasurably. Like 90% is mitigated. Right. It's one of those easy things. So any account that makes any difference at all to you, apply and enable Two Factor Authentication, mfa, they may call it, and get those codes before you get in to your website. It will make your life much more secure.
[24:00]
John R. Miles
Yeah, and it's not just that. If had some colleagues who are on YouTube who had successful YouTube accounts where they were making a lot of monetization on them, they didn't have Two Factor Authentication on them. Someone takes over the account and then holds them hostage and charges them a ransom to get access back to the account. Are you also seeing things like that happening with other social media accounts?
[24:29]
Brad Deflin
Absolutely, all the time. And so I think the default is any online account you have. Enable two Factor because there may be other information that could be interesting, personal information. Maybe they won't hack the account. Maybe there's no finance ability to financially move money, but there would be the ability to gather more personal information, to compose some sort of exploit because they know certain information that's on that website. So just basic Habit Enable two factor Authentication MFA and I would say one more thing. Especially if you're a crypto trader, especially if you move money in motion, right is a honey trap. That's money in motion is what hackers are looking all over the Internet for every day. An estate settlement, a closing transaction on a home, a wire transfer, a stock option exercise that might be public, et cetera, et cetera. If you are of that type that is moving money for whatever reason, instead of getting SMS codes on your text, opt to get an authenticator. That adds another level of security. Microsoft makes an authenticator Microsoft Authenticator Google makes an authenticator. Google Authenticator I prefer Google Authenticator. It's user friendly and it's easier when you get a new phone than Microsoft is. However, some Microsoft products require you to use Microsoft Authenticator. What happens though when you use Authenticator is it lops off a whole nother element of risk. And that is if the phone company's been hacked or there's an insider at the phone company, there's a third party that somehow is able to get those texted codes to you. That's a risk. When you use an authenticator, you eliminate that risk. So again, if you're an investor, crypto trader, whatever you're wiring money around, whatever your duties are as a fiduciary, by all means download an authenticator and start using it with these important accounts.
[26:49]
John R. Miles
I use it for everything from my YouTube accounts to my social accounts to my major bank accounts. And I also use services similar to LastPass and others help me generate strong passwords. What would be your advice on the password side?
[27:09]
Brad Deflin
So those are great habits and I think a password manager is essential. You still have people that say, I don't want all my eggs in one basket. And I understand that, but we have to think a little bit deeper. If you keep a spreadsheet of your passwords, all your eggs are in one basket. Whatever you're doing, you have that risk. The fact is though, that the best password managers, and I think most of them in the industry, now separate the keys to the encryption of your passwords. They're in two separate places. So LastPass could be hacked and LastPass has been hacked, but they're not going to get the passwords because the encryption key is someplace completely different. We prefer one pass. There are other good password managers, but one pass, one password, I should say, is the name. It's the number one. Password is consistently ranked and in our due diligence, consistently is at the top in terms of governance, technology, user experience, and really importantly, innovation. They're now making it easier to add pass keys so you don't even need to enter any SMS codes because you're taking the passkey approach built into your password manager. So all you do is click a button without entering any codes or numbers and you're in without compromising any security. So password manager is essential. Pick one of the top ones. They're all in the top. 2, 3, 4. We like 1Password. And let's talk for a minute about the art and science of making passwords. First of all, when you use a password manager, you really only need to remember one password, and that's your master password to get in to the password manager. That is your vault of passwords that should be long and it should be unpredictable. And this is why we've always been taught that a good password should be long, should be unpredictable and should be complex. That is lowercase, uppercase, numbers, symbols. Honestly, complexity is not what drives a good password. Only two things drive a good password, and that is length and lack of predictability. Some websites still require you to add complexity, uppercase, lowercase, and that's okay. But you can make it easy on yourself by just putting an exclamation point in a 1, 2, 3 after a long password. The science of passwords is this. If you use up to 12 or 14 characters, and that's a long password to a lot of people. But if you use up to 12 or 14, anybody can buy a password hacking software program or get it for free. Now on the Internet, they can hack a 12, 14 character password in less than an hour, sometimes even minutes. But the law of large numbers helps us when we go to 16 characters that will take years to crack. Using these password managers, it's simply much harder to do with long chains of numbers and characters. How though can you remember nobody? The human brain is not wired to remember 16, 18, 20, 22 random characters in a row. Don't even try. What to do is to use 2, 3, 4 words or a phrase. Don't make it predictable, don't make it success in 2025. All right, three or four words. For example, a good password might be. And I use this in the past. Think about this. Cowboy, palm tree, moon, and then a number one and an exclamation point. Because most websites require the complexity. Now in my mind's eye, when I try to remember that password, I see a cowboy leaning against a palm tree on the moon. I capitalize cowboy, beyond palm tree, am on moon. It satisfies the needs for my Master password. I still write it down and put it in my sock drawer because the brain is a weird thing and you do not want to lose that master password. You will have issues. Right? But that's the way to at least construct it. Now, when you've got a long, good master password, you get into your password manager vault and everything else is done for you. I have mine set to 22 characters. My Amazon account has 22 random characters. All accounts have very long, complex passwords that nobody could ever guess or hack using any modern password hacking software. And I will commit to you, any of the listeners, viewers, that if you just take a little bit of time to download the password manager, get used to the user interface and make a habit of using it for all of your accounts, I commit to you, not only will your life become vastly more secure online, your life will become vastly more convenient. You go to Amazon and Bing, it fills in 22 long characters and you're ready to go. You're not looking around, you're not. You eliminate all that frustration and friction and, and it works really well. So we actually hold one hour. We call them computer coaches to help people just ramp up the learning. What? Here's how you look at the user interface, here's how you get started, that expedites the learning curve, the process for individuals and then they're on their way and you've got a lifetime partner in your password manager to stay secure and be convenient.
[33:16]
John R. Miles
Awesome advice, Brad. I now want to take us to a topic of what's really happening under the surface right now, Especially the rise of something called the smishing triad. What is it and why should every listener and viewer be paying attention to this emerging threat?
[33:35]
Brad Deflin
Well, thank you for that question because it's a really big deal and it's something that we must be aware of and I'm going to tell you why. First of all, smishing, we all know what phishing is and that is, for example, an email comes in and it purports to be somebody else. And we've seen the awkward versions from Nigeria, the Prince and all that. We're not talking about that. We're talking about well engineered. Gosh, that looks like it's from FedEx. And my package is delayed. I better click that link. That's what that looks like. Well, now that's happening in texts, sms, they're calling it smishing. Smishing is also the term that's being used to describe what we would call multi vector phishing. So not only are you getting the phishing email but you're getting a text which corresponds to that email, and you're getting a phone call that corresponds to. And it's all beautifully timed and engineered so that your sense of it being legitimate is fooled because of the timing, the level of engineering, the level of fact and level of detail that's coming in. You say, wow, this is a real deal. And you lose the thought of this could be phishing or this could be smishing. It's so authentic. In addition, they're adding the element of artificial intelligence to it. The Smishing Triad is a group out of China. It's three, maybe four very successful hacking groups that we have to believe are supported by the ccp. Because of the level of technology they have and the amount of money they're making, it can't be off the radar screen of the ccp. I don't believe that the Chinese government, we believe, is fully aware, if not involved and supportive. And they've added this layer of collaboration amongst themselves and artificial intelligence so that there are constant feedback loops. For example, you get a text, you get a phishing email, you reply in some way, you engage in some way. Artificial intelligence then adjusts the exploit according to how things are taking place. Pulling new information that they have on you. They have so much information, oh, we need this to make it look a little bit more real. They'll pull it in real time and it will be very difficult. They're going to be using voice phishing. It's going to sound like the banker, it's going to sound like the attorney that's closing on the home. It's. There are going to be all of these elements put together, orchestrated by artificial intelligence for efficacy and in real time. And our indicators are that they've got about a 60% success rate in these exploits. Now, a great exploit might get 3 or 4 or 5%, which is high. That means if you attack 100 people, 3, 4, 5 of them are going to become victims.
[36:50]
John R. Miles
Right?
[36:50]
Brad Deflin
That's pretty good business. And that's why every criminal syndicate in the world is retooling for Cyber this. They're batting.600 with this mission triad as a result of AI in the way that they are so sophisticated in engineering these exploits, it's like the goose that is laying golden eggs. So we're already seeing, according to some resources, a million of these attacks a day. And it is just starting. So I will tell every listener, every viewer on the podcast, you 100% should expect during the course of 2025 to see this type of exploit in Some shape or form. And that's where your awareness, that's where your critical thinking skills and that's where your deliberate process of thought is going to have to come forward, because it's going to be really convincing and it's going to challenge some of your basic survival skills that you've learned to date.
[37:54]
John R. Miles
Yeah. Just to give the listeners some perspective, the infrastructure behind this is something like 25,000 phishing domains active at once. They're hosted through companies like Alibaba or Tencent, and the operators are running walls of phones. My point here is this isn't some hacker that we see on TV in a hoodie. It's.
[38:20]
Brad Deflin
Right.
[38:21]
John R. Miles
Organized crime with corporate, like, scale.
[38:25]
Brad Deflin
That's right.
[38:25]
John R. Miles
And it almost leads me to believe, like, we're at this tipping point of cybercrime becoming a parallel economy, which is a scary thought.
[38:36]
Brad Deflin
It is a scary thought. And the numbers. That's an interesting point, John, because North Korea got into the cybercrime business primarily for the economics. Right. Their currency isn't worth anything. They have financial issues. And when they can be in the business of cybercrime and taking in Bitcoin, North Korea, it's an element of their economic model at this point. So I get what you're saying. And with your experience in technology and your understanding of the risk with what you're seeing from the smishing triad, I can understand how you could see there potentially could be a cybercrime parallel economy and digital currencies, no less.
[39:22]
John R. Miles
I want the listener to understand how easy this is. I right now could plug in a 10 megabyte file that has me doing a series of my podcast into a tool, and it does such a good job of perfecting my voice and how I talk that I could create solo episodes and just put the text into this thing and it'll spit things out and the average listener would have no idea it was AI. Now, what's scary for someone like me, who's got so much content out there, is some third party could take my voice and do the same thing and start mimicking my voice, hijacking the trust that I might have from people in my community if they're starting to impersonate me. And this is where I see this stuff going in the future and why I was so adamant about wanting to do this, because I think people need to wake up to how sophisticated this stuff is all getting.
[40:25]
Brad Deflin
And we are seeing that in the field. A client is chairman of the board of a large New York Stock Exchange company over 100 years on the New York Stock Exchange, primarily a provider to the Department of Defense. So maybe that's an element of being targeted. Had retirement accounts for 1k at a large firm. Everybody would know on Wall Street. And his voice was replicated using AI. And I don't want to get into the mechanics too much, but when Merrill called to verify that he wanted to move $400,000 out of a 401k to another account someplace else, his voice responded and approved that transfer. And that 400 some thousand dollars was transferred out.
[41:18]
John R. Miles
Yeah, it's unbelievable, especially here where I live in mid Florida. We're close to an area called the Villages, which has become a haven for a lot of retirees. Stories of how many victims there are coming out of elderly communities like that who are some of the most prone to not keeping up with what's happening with technology and thinking that these are well intentioned people would end up stealing their life savings.
[41:47]
Brad Deflin
That's right. And I think they also have a little more sense of a trust in the individual. I live in South Florida. You're Florida's the land of scams like Southern California. And you see the damage that's going on, especially in the elderly. And it's really sad. We have clients that are in their 80s and 90s that have really suffered in, in these cases. In some cases especially, they just trusted people and they just went with it. And the exploits were so complex, so sophisticated that they really had no sense for what was real and wasn't real. And before they actually woke up, they were done. The money was gone, the people were gone, they were out the funds.
[42:32]
John R. Miles
Yeah. So I want to shift to something else. And that's where the responsibility falls, individual or institutional. When I was at the bank, I asked the person, personal banker I was working with, if someone has a large amount of money in a bank, what is the bank's responsibility? And they said, well, we're only insured up to 250,000. And let's say a lot of listeners don't have 250,000 in their bank account because that's a lot of money. Many assume Apple, Google or their bank, regardless of how much money has them covered. What's your view on how much responsibility falls on the individual versus the institutional protection that we're expecting?
[43:16]
Brad Deflin
So it's a situation that's fluid and it's going from where the bank or the institution that was involved was really stepping up to help the client that goes back. Call it pre Covid. Right. And so you felt you could feel pretty good that the bank was going to backstop you and was going to give you your money back, regardless of whether the money was recovered or not. I don't know up to what levels or what have you, but that's shifting, I think, obviously because of the volume of damages, the amount of damages. I will tell you that the financial institutions in this country are really authentically, genuinely putting enormous resources into protecting their reputations, their infrastructure and their clients. They take it very seriously and they're putting all the money it takes to do that. If somebody, a client, loses money because the bank made a mistake, the banks have been really good about helping the client recover the money, getting the funds back to the client in some shape or form. But when it's really the client's fault, right, the client took action that, you know they shouldn't have done or it really was external of the banking systems where the exploit took place. More and more they are not stepping up and I think for all the right reasons, you can't backstop. It's not the model to backstop this risk. And this is why you're getting all these emails and all this information from banks around. We will not contact you by sms. Do not do this because they're going to have to tell you we're not going to provide the money that you lost because you took an action that we couldn't control, was outside of our systems and we've done everything we could. Sorry, but it's your problem. You've got to figure it out. It is getting harder and harder to get the banks to attend to the individual's problem. It's a massive situation. A lot of resources are going toward all these incoming calls, I've lost money because of this or this. I need your help, I need this information. The bank won't say, oh my gosh, we're on it. We're going to put all of our resources toward it. We're going to stay here till we figure out where your money went and got it back. That's not happening more and more. You've got to be the person that is pushing the case through the bank. You've got to get the lawyer that is pushing the bank to find the money. Where did it go? How can we get it back? You've got to be driving the progress of the case more and more. So to answer your question, John, I think that it is only realistic and it's just healthy to again find autonomy, take the initiative, be intentional about not relying on the bank, not relying on a third party, not relying on anybody, but to secure yourself in a way where these things are not going to happen in the first place.
[46:34]
John R. Miles
There's something, Brad, that I've always felt interesting. When I was doing large scale technology implementations and companies, everyone would always think when a project wouldn't go correct that it was a technology issue. And 99 times out of 100 it was a cultural issue. There wasn't enough change management, etc. And when we had that huge hacking incident at Lowe's, it was the same thing. This wasn't necessarily a technology collapse, although there was some of that. What it really was that the passwords at the access point were so easy to break that they were able to get in. And then there was a lackadaisical approach to the whole password systems throughout the whole company. And so the vast majority of the correction that we had to take once we bounced back from this was we did implement better technology. We implemented security operations, command center, that things. But the thing that took the most time was we had to create a whole cultural element of explaining to everyone why cyber security was so important and that it wasn't just about their personal life, it was about their self protection and their personal lives as well. And I found that it was almost this uncanny thing that the more senior the people were, the more, the less that they took the threat seriously.
[48:03]
Brad Deflin
Very true, very true. This is why we say cyber security for life. This isn't about when you're in the office, you punch in and you punch out and it goes away, right? This is about everyday, all day experience as a professional in your personal life. It doesn't go away. And to your point, about senior people, so we deal with, certainly with a lot of CEOs, even three star, four star generals that are retired and may be on the board of a Department of Defense company, for example, they've been isolated so much, it's oh, the IT department's got that, don't worry boss, you need a program downloaded, I'll do it for you, boss. And their critical thinking skills, their level of awareness and their sophistication as a user is often much lower than just the average employee in the organization. And to your point around it being cultural, whenever you read a headline around a big breach, something went wrong, big losses. When you get to the bottom of it, you'll almost always find that there was some human elements, human error element. It was not that their technology was breached. More and more hackers are looking to hack you, to get to your technology to hack you first. That's where this Smishing triad comes in. So cyber security, the technology is taking care of itself. I will tell you that the tech, so much capital has been invested in IT security, including empowering it with AI, which is remarkable in terms of how that's used defensively, that it is up to the challenge of even the smishing triad and the most evolved exploits that we're going to see with AI. It's up to the challenge. Our challenge is to not only help people embrace and use that defensive technology, but to do that in a way where it also elevates their critical thinking skills and creates a partnership so they always have somebody to call. I don't know whether to believe this or not. Can I send you a screenshot? Look at my computer. I clicked a link. Maybe I shouldn't have. Is it okay? It's going to take an ecosystem, frankly to stand up against the level of risk and potential consequences that we see today.
[50:26]
John R. Miles
So Brad, what are the first three non negotiable steps you would recommend for the listener to protect their digital life?
[50:35]
Brad Deflin
I think the basics we covered around passwords, password management, two factor authentication, those things. But to build out on that a little bit, we have what we call the three primary attack surfaces. So again, we're building in your mind's eye how to think about these abstract notions. If you protect these three primary attack surfaces sufficiently, you can mitigate this risk all the way to the margin. You can really mitigate this risk all the way down to practically nothing. The first is email. All right? We are big proponents of privatizing your email and we help clients do that. Get off of free email because it's not free. You are the product when you're using free email and they're taking your information and we know that story. So we say privatize your email, get off the grid, own your own email information and that mitigates that risk tremendously. The second attack factor are devices. Whether it's your laptop computer, phone or what have you, you've got to use enterprise grade antivirus, data loss protection, intruder protection, a whole stack of device oriented protection to protect those devices from being hacked. So number one email, number two devices. Third is the network which is now ubiquitous. Whether it's your home, WI fi, you're at Starbucks, you're in the lounge, at the airport, wherever it is, and you're connected to the Internet through some local network. That is very much a surface of risk. And so we use things, the modern day VPNs that will encrypt all information. So it's invisible to anybody on the outside. That will firewall networks, even public networks, anywhere in the world, so that when you're on that network, whether again at Starbucks at home or some foreign airport, nobody can see your device on the Internet. Nobody can see your contents even over the local Starbucks wi fi, and nobody can download to your device a virus or spyware or something else nefarious. Combined. Privatizing email, protecting your devices and securing the networks creates an ecosystem which provides cyber security for life. Works everywhere, all the time, across all your defenses, across all your devices in real time. Empowered with AI, including threat intelligence, where AI can say, you know what? They haven't done any bad. Anything bad yet. But all the indicators are they're a bad guy. If we think they're a bad guy, we're stopping them. It's called zero trust. We institute zero trust across all of this. If it can't be authenticated, they're not allowed to play in the sandbox with your technology. If you do that, you really can gain a lot of peace of mind and again, enjoy the wonderful Internet and artificial intelligence and digital innovation that we're seeing today with a minimal amount of risk and again, lots of peace of mind. It's possible, but it takes intention.
[53:52]
John R. Miles
So, Brad, I always ask my guests what it is to live a passion stuck life, but today you've redefined it, that it's something you got to intentionally create, purposely live and securely protect, especially in the digital world that we now inhabit.
[54:07]
Brad Deflin
Yes. And it feels good to do it. And it feels good to do it and feels good to help your family to do it because our generations need help around the notion of privacy and personal information. And we should be doing this now.
[54:21]
John R. Miles
Brad, the last thing I always ask every guest is if people want to learn more about you and how you might be able to help them, where's the best place they can go? Sure.
[54:30]
Brad Deflin
So I think I'm the only Brad Defin other than my son on the planet and you can find me anywhere on the Internet because I do a lot of public speaking and writing and what have you. My company is Total Digital security. A mouthful, three words, total digital security. And our website's TotalDigitalSecurity.com let's just look for me or look for the company and you'll find us.
[54:54]
John R. Miles
Awesome. And don't put in Brian Deflin because that person, which I mistakenly did, is a fitness coach.
[55:03]
Brad Deflin
Oh, no kidding. I have to look him up. Interesting. Just one. Brad Defin. That's me.
[55:11]
John R. Miles
Brad, thank you so much. For joining us today. It was really an honor to have you.
[55:15]
Brad Deflin
Thank you John. I enjoyed it a lot and I appreciate being on your show.
[55:19]
John R. Miles
That's a wrap on episode 639 and a crucial reminder from Brad Daphlin that living intentionally means protecting intentionally. Whether it's identity theft, deepfake scams, or the rise of cybercrime as a service, the threats are real, growing and deeply personal. Here are some takeaways I hope will stay with you. You're not just a user, you're a target. AI is being weaponized to exploit your trust. Digital protection starts with awareness and using simple tools like password managers, multi factor authentication and network security. And most importantly, no one is coming to save your digital life but you. If this conversation sparks something, take a moment to leave a five star review on Apple or Spotify. It helps the show reach more people. Subscribe to the Ignited Life for weekly strategies to Live Boldly and Protect what Matters and catch the video version of YouTube @JohnR Miles coming up next. In episode 640, I sit down with Oliver Berkman, the best selling author of 4000 Weeks, to explore a question we all need to ask. What if the problem isn't that we don't have enough time, but that we're trying to do too much with the time we have? This conversation is a powerful wake up call for anyone feeling overwhelmed, over optimized, or quietly burn out. Imperfectionism is the stance that says the only thing that really counts is doing a bit of it today, this week, Maybe badly, maybe too little by some standard, maybe with no confidence that you'll ever come back and do it again. Maybe it's just a one off. Maybe you're not about to develop a wonderfully virtuous habit of writing your novel every single day. But you'll be doing it. You'll be bringing it into concrete reality. It will no longer just be an idea in your head, it will be real. And I think the big problem with a lot of ways that people think about productivity, personal development, spirituality, all sorts of things is that it actually reinforces this notion like not yet. Until then, live boldly, lead with intention, and protect the life you've worked so hard to create. Live life.
[57:23]
Brad Deflin
Passion struck Sam.