“Kids are being targeted now more than ever.” - Tyler Cohen Wood Click To Tweet
Your online identity is quickly becoming more crucial to your personal and professional success than in-person communications. But most of us don’t understand this digital Wild West and the dangers that lurk around every corner. Most of us are unaware of the digital breadcrumbs that we leave behind with every post, and how easy it is for a person with malicious intent to harm us. In her book, Catching the Catfishers and on today’s episode Tyler Cohen Wood teaches us how to protect ourselves and our families from online predators.
Tyler Cohen Wood is a cyber-authority with 20 years of highly technical experience at the Department of Defense. As a Cyber-, Intelligence, National Security Expert, three-time Author, and Public Speaker, Tyler is relied on for her wealth of knowledge and unique insights. Tyler served with the Defense Intelligence Agency as a Senior Intelligence Officer where she developed highly technical cyber-solutions and made recommendations significantly developing and changing critical cyber-policies and directives affecting current and future intelligence community programs. She has helped the White House, DoD, federal law enforcement and the intel community thwart many cyber threats to the USA. Tyler’s expertise has made her a frequent guest and writer for both national and local television, radio, print, and online media.
What is catfishing? What do parents need to do to protect their children online? What can you do in this uncertainty to protect yourself from cybersecurity issues? In this information-packed episode, we answer all these questions and more.“If they see someone that they consider “easy prey” they are going to go after that.” -Tyler Cohen Wood Click To Tweet
- [01:02] – When Tyler first started her cybersecurity career, she was doing digital forensics for The Department of Defense Cyber Crime Center.
- [03:01] – Parents often post pictures of kids and information without privacy settings. This can put kids in potential danger.
- [03:57] – Catfishing is someone pretending to be someone they're not in order to get you to do something or to give them information.
- [05:31] – In most catfishing cases there are some monetary or other things they are actually looking for.
- [07:30] – These attacks are always based on some fear or urgency.
- [09:55] – It is really concerning that kids are being targeted now more than ever.
- [10:35] – Predators target kids through online gaming platforms and social media apps. It is so important for parents to really know what their kids are doing, who they are talking to and what accounts they have.
- [11:05] – It is good to talk with your kids and sit with them and see what they are doing.
- [11:36] – What do parents need to do to protect their children online?
- [12:35] – Make sure you have accounts on all the same platforms that your kids do. Often predators will start a conversation on Instagram and then move to an encrypted platform like TikTok, WeChat or WhatsApp.
- [13:43] – Once a predator has a target they will continue to go after that target. If they see someone that they consider “easy prey” they are going to go after that.
- [14:58] – One of the number one things you should be watching out for is if someone claims to be somebody, but they don’t have an online presence normal for that person.
- [17:15] – A Home Incident Response Plan involves talking with your kids about what to do if you have problems online including downloading malware.
- [19:06] – In a Home Incident Response Plan you want to include a paper copy of all of the numbers of people that you would need to call in the event of identity theft or other emergency and all of your accounts.
- [21:53] – If your friend sends you something that seems out of character or they’re using words that they don’t typically use that is an indication of a potential scam.
- [22:12] – If anyone ever asks you for money on the spot just walk away.
- [24:52] – Be really cognizant of what’s in the background of your photos.
- [26:37] – You want to see what apps on your phone have access to. They may have access to your microphone, video, or contacts. If they don’t need it then turn it off.
- [28:12] – Fear, uncertainty, doubt, and urgency really get people in trouble. Stop and take a breath before you react.
- [30:26] – You have to take time right now to nurture yourself.
- [32:08] – It is important to talk to our kids about what’s going on in the world right now.
- [34:01] – Just be aware of what you're posting and what you’re doing and trying to be as paranoid as your be without being crazy paranoid.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Tyler on Twitter
- Tyler on LinkedIn
- Catching the Catfishers Book
Can you tell me more about how you originally found out about catfishing?
Sure. First off, thank you so much for having me. It really is a pleasure to be here. In terms of catfishing, when I first really started my cybersecurity career, I was doing digital forensics for the Department of Defense Cyber Crime Center and I did intrusion cases but also major crimes cases. Major crimes cases were the cases that involved the exploitation of children. I'm very passionate about these cases because there is a definite victim that is in pain on the other end of this case. It's something that I've been very interested in—keeping kids, and basically people, safe using my knowledge, skill set, and my background.
Yeah, and as for me, as I've run my business, I've run across more and more people that have been victims of all sorts of scams, and it's like I have a little bit of a soapbox. I need to do something. I need to really help educate people and help make them aware of what's going on out there.
Absolutely, yes. How I really got into this, it was something I was very interested in. I went to work for the DIA, which is the intelligence arm of the Department of Defense. I still keep in touch with agents I used to work for with DOD Cyber Crime Center. One of them just told me this awful story about a man who had been arrested for distribution of child porn. They saw on his computer that he had been chatting with this 11-year-old girl, and he knew every single thing about this girl. The investigator was like, “How does he know this?” Fortunately, he was caught for distribution before he ever met the girl, but it turns out that this guy had been going to the mother's social media pages, her blogs. She had been posting pictures of the kids and she had no privacy settings. She was talking about every single thing about these kids. She did not know that she was putting her kids in potential danger.
That got me really, really concerned. I looked for a book or some easy type of guide that would help kids and parents really understand this online domain and vet who they're talking to, who they say they are in an easy-to-understand way. I couldn't find one, so I wrote it. That changed the trajectory of where I started going.
I know there have been some fairly large accounts of catfishing in the news. We've heard of young football stars meeting people and it turns out that they're not who they claim to be. How do you define catfishing?
I define catfishing as someone pretending to be someone they're not in order to get you to do something or to give them information. A lot of people think of it as just someone in a dating realm where they're saying there's someone they're not, but I think that it's a lot more than that. It's people who are targeting children, but I think it's also a lot of the phishing scams or a lot of the COVID-19 scams that we're seeing because you're dealing with someone who is not who they say they are.
When it comes to catfishing, what is the end game? I know when we've had the story of the football player that was catfished, that didn't really seem to be monetary, like, “Hey, I'm trying to get money out of this guy because he was just a pretty young guy and didn't have a whole lot of money.” It seemed like this person would just be building a fake relationship. What is the endgame for catfishers?
Typically, it's something of monetary value, it's an entrance into your network to steal something, or it's a predator trying to take advantage of you. Usually, there is an endgame, but I'm so glad you brought that up because now is a time where people feel more isolated than ever. I think you're going to start seeing a lot more of that type of behavior where people reach out just for human contact, and maybe they'll pretend to be someone they're not, but I do think in most cases, there is some monetary or some other thing they're actually looking for.
Do you see there's a particular demographic that gets targeted more than others? Your introduction was with a young child, but is it specifically targeted? We see lots of scams targeting the elderly. It's just a common demographic, but with catfishing in a wider sense, is there a specific demographic that's targeted?
If you asked me this question five, six years ago, maybe even three years ago, I would have said, yes, young girls, women, and people that are a little bit older and who aren't as familiar with the Internet. But now, I think the demographic is starting to change. You're still going to have predators that are going after kids, unfortunately, and they're upping their ante these days, but they're also targeting CEOs of businesses. They're targeting people who work in companies, to be able to gain entrance into that system. They're going to do the recon, they're going to find out everything that they can, and they're going to start using a lot. They already have started using very different targeted phishing types of attacks that we just really haven't been seeing before. I would say that the demographic has really shifted to most everybody.
I was doing research and it just seems to be becoming wider and wider spread. Maybe originally we were looking at it as just fake relationships and trying to con people out of money, but now these things are going deeper and wider, and getting considerably more complex.
Yes. These attacks are always based on fear or some urgency. “If you don't read this new update about COVID-19, you're putting your family at risk.” As I had said, people are already heightened with anxiety, and they're just not at their best. Unfortunately, we're seeing a huge spike in these attacks being very successful.
I read the news and that sounds like a lot of in-person burglaries and crime that happens on the streets and in real life, if you will. It seems a lot of those have now moved online, particularly with everybody working from home, but it's like, “Hey, where can I take my scam next?”
Yes, and some of the scams are also ridiculous. Buying toilet paper online for cheap or just crazy amounts of money. You're seeing just things that I would have never thought that I would see in my lifetime, but I also didn't think that I would live through a pandemic.
It's definitely times where what we would have considered the norm have been totally upended for, at least the United States, 95-96% of people are being told unless you're in health and medical, unless you're providing an essential service, you need to be home. What are these people going to do? Some of us are fortunate that we can continue to work while we're at home, but other people are sitting around, and once you've finished your favorite TV show and once you've done all these things, you’re starting to go, “Well, let me look for information. Let me start chatting with friends I have from high school that I haven't seen in 20 years,” and we're almost expecting people that we haven't known in many, many years to reach out to us just to say, “How are you doing?”
That is true, and we're seeing a lot more of that. I think that's maybe one of the good aspects—people are really reconnecting in better ways. People are also exercising more. I've actually been exercising more since we've had the stay-at-home orders than I had before. There are good things but what really concerns me is that kids are being targeted now more than ever, and kids are also in a position where they're also afraid.
All of a sudden, they're being homeschooled by their parents, they don't have contact with their friends, and they're starting to feel lonely. Maybe the parents are working and they just don't know what to do with themselves. They're going online and predators know this. They're very, very good at doing their recon and targeting kids. They do it through online gaming platforms, through any of your social media types of apps, and it is just so important for parents to really know what is going on, what their kids are doing, who they're talking to, what accounts they have.
I will say there is one advantage. Back in the old days, we used to say, “Just make sure the home computer’s in a place where you can see it.” We're back in that position where now it's good to talk to your kids, sit with them, see what they're doing, and make sure that you have accounts on all of the platforms that they're using.
Let's dig into that a little bit with respect to kids being targeted. What are some of the things that parents should be looking at, watching out for? You talked about having access to social media accounts for your kids, but what are some of the ways that kids are being approached and things that parents can do, and ways that parents need to talk to their children?
As I said, online gaming is a huge way that predators are reaching out to kids, because kids think they're talking to a friend, or they may not know who they're talking to, or on a lot of the social media apps, predators are actually doing searches for things that kids may be asking, questions they may be asking. They're using these methods to really target them because they know that kids are in a very vulnerable place right now and parents are, too.
Predators will also do a technique where they'll get to know someone on an app that you may know they're using like Facebook and Instagram, and they search for certain things, they look for pictures. You want to make sure that you have accounts on all the same platforms that your kids do, but the problem is some of these predators will start off on Instagram and then move to an encrypted platform or something along the lines of TikTok, WeChat—one of those—or even WhatsApp that is a little bit harder for a parent to track.
We definitely see similar things happening in dating scams and adults. They meet on one of the popular dating sites and all the conversation that goes on there (if you look at it) doesn't look particularly suspicious, doesn't look odd, but as soon as you start, “Hey, let's take this conversation to this other platform,” where the dating websites can't monitor the conversation, they can't see where it's going, they can't see the trigger words, it sounds like similarly the same concept plays out when targeting kids on a kid-focused platform.
It really does, and one of the problems also with predators is once they have a target, they will continue to go after that target. If they see someone that they consider—I can't believe I'm going to say this, Chris—easy prey, they're going to go after that. This really is a time that you have to monitor what's being done on your network. If you see encrypted traffic that is not yours that's not on your VPN, but it's something that your kids are doing, you want to ask what's going on, and you want to also make sure you know who else is tagging your kids, who their friends are, and what photos, or what they're tagging as well. Now is just such a perfect opportunity to have that conversation with your kids.
Getting to know your kids’ friends or how you know this person.
Absolutely. In my book, Catching the Catfishers, I have very easy checklists that are meant for parents and kids to go through together to help determine if someone is actually who they say that they are.
What's one of the biggest ways? What's your number one thing on the checklist that people should be watching out for?
One of the things that you should be watching out for is if someone claims to be somebody, but they don't have a normal-for-that-person online presence. If someone claims to be a 13-year-old boy, but they don't have friends on their Instagram account, they don't have conversations, they're not tagged in things, or it will look like the account was just set up and there's no communication. Something like that where it looks odd is really a dead giveaway.
I used to say, “Hey, ask them to send you a picture. Look at the EXIF data. See if it matches,” and maybe they won't be able to send you a picture because they're not really who they are pretending to be. I'd be a little more cautious about that in these times where there's just malware all over the place.
Yeah, send me something that I can use to infect myself.
I don't know if I should even say this. I haven't heard of this yet, but I think we should warn parents before someone starts doing it, but I can very easily see people who are targeting CEOs or people that are working in businesses, targeting them through their kids to get the kid to download something that is a malicious application that will then traverse through the network affecting your work laptop and computer, possibly even getting into the network itself. You want to talk to your kids, too. I always recommend—it sounds crazy—having a Home Incident Response Plan, especially now.
What is a Home Incident Response Plan? You and I probably know what the technical terminology is, but most parents are thinking it if they're not in cybersecurity, they're not in data forensics.
That is very true. An Incident Response Plan is usually for businesses. If they're hacked, here's what we do. Here's where we keep our backups. If we get infected by ransomware, this is how we are going to handle it. Here's who we call. A Home Incident Response Plan would be similar to your Work Incident Response Plan, but it would be something along the lines of you talking to your kids. If they download something and all of a sudden they see ransomware immediately, turn it off. Turn that device off. You do not want to get into your network. Pull the battery. As we used to say in the old days, pull the Cat5 cable out, but really disable any type of connectivity. Also, make sure that you have your IoT devices and really all of your other devices on a separate network, a guest network. It is completely separate from your workstation.
That's one of the things that I've done with my home. I don't think I'm paranoid, but I have the IP cameras on the exterior of my house and a few other devices that are connected, that are used within my network, but they're running on their own isolated network with the cameras. The cameras don't have access to my computer and my computer does not have direct access to the cameras. They store out to a common device that each of them can look at but you can't see across the network that those devices even exist.
That's so important, and if people have questions about that, it’s relatively easy to even use and set up a guest network through your home provider, but also your business. Your IT people may have some solution, too, that they want you to put in place. They'll have an Incident Response policy, too, but it'll be different from the home one. The home one is jumping around, but you want to include things like the numbers of people that you would need to call in the event of identity theft or something along those lines.
Having a paper copy of all the numbers you need to call, all of your accounts that are in paper form because if your system goes down, you need to have that. Plus, I wouldn't recommend having that on your home computer anyway, unless you've encrypted it. I would have a good paper copy, and everyone knows what they need to do and practice. That could be a fun activity to do with the kids.
I have a piece of paper in a home safe that has telephone numbers and a couple of bank account numbers in case of emergency that we know where to call, who to call, and I don't have to worry about finding the right telephone number for this bank. If my Internet's down, how do I find the right telephone number? Just the one easy place I can just immediately go down a list to secure or close accounts, and things like that if something urgent happens.
And hopefully your safe is not something that you can open and close with your phone.
No. It barely opens and closes when I manually enter stuff.
Oh, my gosh, that's really funny.
Make sure I go out and buy a big sledgehammer in case I can't get into it.
Let's go back to catfishing again. We’ll bring it back to that. We talked about things that kids should be watching out for. Are there things that adults should be watching out for in case they're being targeted? We could widen up catfishing to be dating scams and any type of interaction. What are some of those things that, as adults, we should be watching out for?
We should be watching out for the typical types of scams that you're going to have a URL, maybe it looks like it comes from somebody that you know, but if you expand the email address, you see that instead of an O, maybe it's a zero or something that's a little bit different. You also want to look at the URLs before you click on it to see if it's going where you actually think that it's going. But also, you know, people who are sending you documents, whether it's for work.
I guess you wouldn't know on a dating site necessarily, but in terms of email and also in social media, you know your friends, and if they send you something that just either seems out of character or they're using words that just are not words that they typically use, that is an indication of a potential scam. If anyone ever asks you for money on the spot, just walk away. That is a scam.
Also, there are new scams—you really want to be careful—that are coming out saying that they are a COVID-19 bulletin, but it's actually not necessarily a URL that you would click on. It's maybe a PDF with the malicious link inside of it so that it can get through a lot of antivirus and anti-malware detection tools. If you get something like that, and it seems weird, pick up the phone.
I've definitely had a few of those things where someone I've connected to on social media that I tangentially know, or I’ve known them for years, but we don't really interact on a regular basis, sends me this message, “Oh, hey. Check out this really important thing,” and they don't explain what it is, why I should be looking at it, or why this person, who I haven't talked with in years, is now sending me this. Those conversations don't usually go that way. They usually go, “Hey, it's been a couple years since we talked, but I ran across this thing about cybersecurity and it made me think of you. Is this legitimate?” That's how I would expect that conversation to go, not, “Hey, Chris. Click on this.” No.
Exactly. There will be indications in the words, the terminology, or even the urgency of what someone may send you. You just want to be really careful, and just also talk to your IT department. Make sure that you have the highest security solutions and settings on all of your devices. And please, if you are working in a room, take any personal assistant device that has the ability to record your conversations and just put it in another room, turn it off. Because you don't want any device to really be capturing any of your work tradecraft or really anything about you.
Yup, and I have seen people jumping on Zoom these days. We won't talk about whether it's secure or not secure, but watch your background. What documents do you have sitting out that might be visible, if you're taking photos and selfies of your work-from-home setup, as you're logged into your company bank account, where the number’s involved. Be really cognizant of what's in the background of your photos when you're doing things that you're not normally doing.
That is such a good point. I'm very glad that you brought that up, because that's something a lot of people don't think of, especially now.
I guess it probably applies to even our social media stuff that we really, at this time, need to be incredibly cautious about. We may be posting more pictures with our kids, talking about what we're doing, and releasing more personal information into the wild about us. Maybe we need to be tightening up our security settings at this time, not loosening them up.
That's so true, but also there's just so much information out there about us. Some of it is what's called OSINT (open-source intelligence), which is maybe you bought a house and you can look at Zillow to see how much someone else bought a house for, where that address is, or court records. Also, be careful about downloading applications. What was the application that everyone was downloading that made them look older or something like that?
It was to take a picture of yourself now and see what you're going to look like in 20 years.
You want to look at those apps, you want to see what they have access to because if you're using your corporate email, and they have access to email, or even things that you're putting into your little notes, that could be something that is used to get into your network, access you, or even target your family and kids. You want to look and see what apps on your phone have access to. If they have access to your microphone, your video, or your contacts, and they don't need it, turn it off.
It's almost like the more information that apps, that people, have about you, the easier it is to target you, whether it's legitimate for “advertising” or criminal activities. We know you like to go here, we know you like to do these things. We see that you like to go on cruises, based on your photos and what you're talking about. Let's use that as a way to get into you. Not that anyone's going to go on a cruise right now, but here's this great deal on a cruise.
There may be people that are still on cruises unable to get off them, so for them…
It could be, “Hey, has your cruise been canceled? Click here to help get your money out, to get a refund from your cruise line.”
Yep, or something that looks legitimate from an airline saying your recently purchased ticket for a refund…because how many people have purchased tickets through the end of the year? Lots of people. That's another scam. Basically, I don't think that you should be as paranoid as clearly you, Chris, are and I am, but you do want to be a little paranoid.
Yeah. Particularly now when scammers seem to be coming out of the woodwork when there's a lot of fear, there's uncertainty, there's doubt. I feel like I say that phrase on every episode of the podcast, but it really is that fear, that uncertainty, that doubt, that urgency that really gets people in trouble when they're looking at something in the heat of the moment going, “Oh my gosh, I need to know about that,” or, “Oh my gosh, that scares me. I need to stop that.” Take a breath.
It's so true. I actually almost fell for a phishing attack—hook, line, and sinker—back in early January. I talked about social engineering. I've written the book on it. There are just so many things that I teach about. I teach people about this, I speak about it, but I had a very bad week. Our dog of 12 years passed away that week. I got really sick, and there was some other crazy thing that happened. We weren't sleeping very much and I just wasn't in my best frame of mind. We tend to make the assumption as cybersecurity professionals that people are always at their 100%. If we say, “Look at this link,” well, they're going to do it. But people are not always in their best frame of mind, especially not now. If in doubt, and you're tired, or you're not thinking clearly, I would save it for a better day. I'm not saying don't do your work.
I joke with people. You don't want to have difficult conversations with people when you're tired. You don't want to be making major life decisions when you haven't slept. You don't want to be clicking on links when you're delirious. All these things have fallen together. It can wait until the morning. It can wait until I have a good night's sleep. In most cases, a good night's sleep is not going to make or break an opportunity or result in you losing a job or something like that.
Exactly. I think people are a lot more compassionate right now. If someone says, “I'm really tired, I'm not feeling well. Can I take a day off or miss this?” Do that. I know this isn't cybersecurity, but you have to take time right now to nurture yourself, whatever that means. If it means doing yoga online, taking the dog for a walk, or doing things that make you feel okay and help center and ground you, so that when things are crazy, you're less likely to fall for these types of things because you have that grounded place to be.
That is absolutely great advice. I think it is good advice, even when there's not a pandemic, when you're not being targeted. It's just good advice to have that space where you can breathe better and calm down.
Definitely. I've seen a lot more people walking around the trails where we walk the dog, everyone keeps their distance, but there are more people out there that are doing that, and I just think it's so important.
Definitely in my neighborhood, the neighbors that I do see across the street are waving and saying hi, people writing nice messages in chalk on the sidewalks. There is good that can come out of challenging situations, and it's nice to see that there are opportunities for people to come together and be supportive.
Absolutely. I think it's also very important to schedule activities with kids but also talk to kids. When I say activities, like Zoom playdates or things like that, but also, you really want to talk to your kids about what's going on because kids are terrified. They don't really know what's going on and there's a lot of misinformation out there. You turn to one station, you hear a doctor say one thing, you flip to another and you hear an equally qualified doctor say something else.
You want to make sure that your kids understand what's going on, and that you let them know that things are going to be tough for a while, but it's not going to be forever. You'll be able to hug grandma again because then kids feel more supported and they feel more open to talking to you, and probably less likely to talk to someone that they don't know and less likely to maybe fall for predator attacks.
If they've been told you can't talk to grandma for a while, and then grandma suddenly emails them, they're going to be suspicious of that…or tries to connect with them on Facebook or some channel where grandma's obviously not up and running.
Absolutely. Also, the educators have to be very careful about their home security as well, because I don't know this for a fact, but I just know talking to all the mom friends that I have and family members, since this is also sudden, but teachers are not necessarily creating lessons, they're just giving assignments. It would be very easy for a hacker to target an educator or a teacher to gain access to their email list, sending again to parents or kids malicious software, claiming that it's homework.
Too many opportunities to take advantage of people that I want to shut everything off and go hide.
I don't think that that's the answer either. I think that it's just being aware of what you're posting and what you're doing, and trying to be as paranoid as you can be without being crazy-paranoid.
That sounds like great advice. Be paranoid but not crazy-paranoid. I like that. If people want to learn more about you and what you're currently doing, is there a website or social media that people can go to?
Absolutely. You can find me on LinkedIn, Tyler Cohen Wood. You can also find me on Twitter @TylerCohenWood. You can also find me at tylercohenwood.net.
And if people want to read your book on catfishing, what's the title and where can they find it?
The book is Catching the Catfishers: Disarm the Online Pretenders, Predators, and Perpetrators Who Are Out to Ruin Your Life. You can find that on amazon.com, barnesandnoble.com, really any of your major booksellers.