“People who are aware and trained are often the strongest link in protecting companies from social engineering attempts.” - Jack Rhysider Click To Tweet
Have you ever received calls either at work or at home where the caller wants you to verify some information about yourself or someone else in the company? This could just be someone updating their records or it could be the start of social engineering.
Our guest today is Jack Rhysider. Jack is the host of the podcast DarkNet Diaries: True Stories From the Dark Side of the Internet. His podcast is about hackers, breaches, shadow government activity, hacktivism, cybercrime, and all things that dwell on the hidden part of the net.“The harder you make it to hack your information, the more resources it would take for a hacker to gain access. They will give up and move on.” - Jack Rhysider Click To Tweet
- [0:45] – Jack originally went to college to study computer engineering and wound up getting a job managing firewalls for many different clients. In that time, he went to conferences and listened to podcasts to learn about the different types of hacking.
- [1:40] – DarkNet Diaries is a podcast of telling the stories behind hackers and different situations.
- [2:15] – Jack explains how social engineering started decades ago where a man traveled around selling things he didn’t own.
- [3:31] – Today’s social engineering is more about conning people within a company in order to gain access to data.
- [4:44] – Jack breaks down the levels of people within a company and why everyone is a target for specific reasons.
- [5:00] – Phishing is all about sending a link to someone to click that is harmful. When a phishing email is sent to a CEO, it is called Whaling.
- [7:27] – Even the nightly cleaning crew could be a target for social engineering.
- [7:58] – Individuals could also be hacked, especially if they use bitcoin or other form of value.
- [9:29] – There is a difference between phishing and spear phishing. Phishing is a lot of the time random, but spear phishing is when the hacker takes the time to get to know their target.
- [11:29] – People are the weakest link but are unintentionally the weakest link. But on the other hand, people who are aware and trained are often the strongest link in protecting companies from social engineering attempts.
- [12:28] – Oftentimes social engineering attempts are time sensitive, so if you get an unusual call or email that is pushing you to act on something very quickly, that is a red flag.
- [14:10] – If you get a call that you are unsure of, hang up and call the people they claim to be directly to verify their identity.
- [16:02] – Jack recommends you also make sure you keep everything updated, like apps on your phone, your operating systems on your phone and computer, etc.
- [16:37] – Jack also recommends using a password manager on your computer which gives you a long crazy password and remembers it. These passwords are very difficult to crack.
- [17:44] – The harder you make it to hack your information, the more resources it would take for a hacker to gain access. They will give up and move on.
- [18:05] – One of the biggest issues with social media is the amount of information people are giving out for free that make them vulnerable.
- [20:18] – Jack shares a story about how Sarah Palin was hacked simply because the answers to some of her security questions were public knowledge online.
- [21:10] – Two factors authorization is a must and Jack also recommends you take steps to secure your email addresses.
- [23:42] – In Gmail, there is a way to see what IP addresses have accessed your email.
- [25:50] – Jack shares a story about how he was targeted as a teenager buying a camera on eBay.
- [27:04] – Past experiences are great lessons to learn about how to use the internet safely.
- [29:00] – Anything that is outside of the norm, like paying a bill with a different credit card, purchasing gift cards to pay for something, or wiring money through Western Union are all big red flags.
- [29:45] – There is a huge criminal market in India that is targeting individual people, specifically elderly people.
- [31:49] – This type of awareness is the first level of security for yourself.
- [33:29] – Chris and Jack discuss the most recent issue of hackers using stimulus check reasons to gain information.
- [34:12] – Another recent scam is a man spamming ex-drug addicts pretending to sell pharmaceuticals to tempt them into sending money to him.
- [37:32] – Jack’s podcast DarkNet Diaries covers stories from victims, law enforcement involved in cases, and even from the criminals themselves.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- DarkNet Diaries Web Page
- DarkNet Diaries on Twitter
- Jack Rhysider on Twitter
Can you give me a little background about who you are and how you got into what you’re currently doing?
I went to university to study computer engineering. Then I got a job doing network security. I was managing the firewalls, intrusion detection systems, and watching the logs and this kind of thing for many different clients. I saw a lot of different environments. Basically, I was there to help secure their environment so they wouldn’t get hacked.
At that time, I tried to expand my mind of all the different hacking scenarios there were. I would go to conferences and I would listen to a lot of podcasts to learn all the news—how did people get hacked this way and that way. As I was doing that, I was learning that there were some really good stories out there on hacking—stuff that has high-drama, excitement, and adventure. But there was no good podcast that was breaking it down in that storytelling way. That’s when I decided to make the podcast Darknet Diaries and to tell the stories of these crazy hacks that happened.
That’s what I’m doing for the last two years. I’ve been just making the podcast Darknet Diaries, which goes into many different hacks, breaches, and cybersecurity stuff.
That’s really cool. Something that I’ve been looking forward to listening to and being able to figure out what people are doing out there and how they get caught. Can you give me an overview of social engineering? What is it and when did it start arising as far as you know?
It’s synonymous to my mind as a con man or con game. I don’t know the year, but it was a long time ago—a hundred years ago—there was this guy named George C. Parker. He was living in New York City, and he was trying to sell people things that he didn’t own. One of the things he sold was Grant's Tomb to someone, and he sold the Brooklyn Bridge to someone. That’s where we get the term, “Okay, if you believe that, I have a bridge to sell you.”
This guy was just going around, making all the fake documents—even had a fake office that he could go in and act like, “Oh yeah, this is where we go to sign over the deed to the bridge.” The office looked legit. It had people working there and everything. He had legit documents that made it look like he was the grandson of Grant.
People believed him by having all these pretexts and stuff like that. That was just a con game. That carried over to today where we have social engineering, which is pretty much the same thing.
The way companies use this today, though, is that they recognize that their people are sometimes the weakest link in a company as far as security goes. They will hire people—hire hackers—to come and hack the people. Social engineers will con people at the company to get into the company to get information, data, and access to things.
One of the things I heard was, “See if you can get into the vaults of our bank, which has our gold bullion.” Social engineers have figured out ways through the front door—which they shouldn’t even be able to get into—through the lobby, up the stairs, and into the gold bullion vault. Companies use this today to see if they have a weak point in their security as far as people go.
What levels of types of people are we talking about? Are we talking about frontline, tier two, executives, or secretaries? Who are the targets of this?
The whole gambit. Let’s start at the top. We have CEOs of companies who have the decision to be able to say, “Yes, I agree with that merger deal,” or “We need to send money—$100,000—to this company.” This is called whaling. Because there’s a term called phishing. If you just try to get your email—somebody sends you an email. It says, “Please click this link because it has something valuable for you.” That’s phishing.
But when you’re doing that to a CEO, that’s called whaling. Because you could impersonate the CEO so that you could then send an email to someone saying, “Oh yeah, I’m the CEO. We forgot to pay this partner. We need to send $1 million to this partner of ours. Please immediately wire this money here.” You’re dealing with high-level stuff at that point and you’re getting CEOs or people who listen to the CEO to say, “Okay, that’s an email from the CEO. I better go do this.” You get that kind of attack at a very high level.
There are receptionists who are on the front line dealing with customers coming in who are getting attacked in ways. Here’s the scenario, I heard just yesterday from an actual hacker. It wasn’t even a social engineer, but the person wanted to know what hotel room a person was staying in. They didn’t even know which hotel. They started calling all the hotels in this town. They said, “I’m from so-and-so dry cleaning, and I have Mr. Whatever’s dry cleaning. I just need to deliver it to him. I know he’s staying in your hotel. Can you tell me what room, and I am going to round it up for him.”
The first four calls he wasn’t even in that hotel. The last one was, “Yep, he’s here, and he’s in room whatever.” That’s a social engineering attack. That was done by the person at the front desk.
Then you have people who just have access to information that a hacker might need. They might have access to a database. You might have the IT staff, you might have IT admin or something like that get phished or social-engineered to get access into whatever access they have. A system admin has access to everything in the company including the CEO’s emails. They can see everything.
You got attacks there. Or even the nightly cleaning crew. You might be able to convince them that you’re supposed to be there when you’re really not and they caught you but they don’t know how to handle it. You lie to them and say, “Oh no. I work here and I’m just coming back to get something out of my desk.” And you really don’t work there. The entire canvas of employees at a company is a target in many situations.
Do you see that individuals are targets as well, not just employees or corporations, but actual individuals?
Yeah, of course. The big thing I’ve seen is people who are holding Bitcoin or cryptocurrencies. Often, all you need is just that private key and then you can have their Bitcoin. If somebody’s boasting on Twitter or social media a lot that they’re holding a lot of Bitcoin, then you might get somebody trying to hack them. All you need is a few bits of information and you can craft a pretty convincing social-engineering story of “Somebody has transferred money out of your Bitcoin wallet. Please click here to confirm that it was you.” And you’re like, “No, I didn’t do this transfer.” But you’re clicking there and providing your login to the hacker.
There is that kind of thing. Anyone who has anything of value or there are other people who are getting hacked because of revenge. You have an ex-spouse, and they’re very jealous of your current situation or whatever. They’re hacking into your stuff to get revenge of some kind. There are lots of different motives for individuals to get hacked as well.
Usually, this kind of escalating access to information. If you called me and said, “Hey, I’m with XYZ Bank. Your account has been compromised.” I don’t have an account with XYZ Bank. It’s obviously a scam call. But if someone called me and said, “Hey, I’m with…” and it’s a bank that I bank with, I’m more likely to engage with them.
Yeah. This is the difference between just regular phishing and spear phishing. You cast a wide net and say, send a million people, “Chase Bank has been breached. Your account has been accessed.” If you don’t have Chase Bank, 40% of your emails just went nowhere. But if you can take the time and get to know your target and know exactly what their weaknesses are—where they shop, what’s important to them. If you know their school, where their kids go to school and you say, “Oh, here’s a special message from the principal of the specific school of where your kids go with your kids’ name in the email and everything, of course, you’re going to click that. Why wouldn’t you? It looks legit in every way.
That’s what spear phishing is. It’s more targeted for that particular individual. That’s where we’re most vulnerable. It’s when things are just really, really well crafted specifically for us.
Even when you come back to that example of someone claiming to be the CEO saying, “Hey, we need to send $100,000 or $1 million to this new vendor.” I know a personal example where that situation happened. Some point along the line he had communicated with the CEO of the company. The scammer got the CEO’s signature line from his email, found out who the appropriate accounting person was and how this person normally addressed the accounting person, and went along and sent a fake email, had the right signature, addressed the person by their proper nickname. “Hey, I need you to do this. I’m on the phone, so don’t get ahold of me right now, but we could talk about it later. I just need you to take care of it right now.” It looked like it came from the CEO.
Definitely. That happens frequently.
It all ties back to the people are the weakest link. Not that they’re intentionally being the weak link. But taking advantage of processes in some cases.
That statement has truth that the people are the weakest link, but they’re also the strongest link. You’ve got people who are well-trained and know how to spot this kind of stuff. They can call out potential issues really well. There are stories of people trying to do major bank robberies, but then some person saw. “Hey, that doesn’t quite line up with what makes sense to me. I’m going to flag this and double-check on it.” That kills the whole operation, whatever the hacker had.In most cases, people tend to be the weakest link—more so than processes—when it comes to being socially engineered by scammers. Click To Tweet
Someone just questioning things that are just even slightly out of the ordinary.
What are things that we could do in our everyday lives just to prevent ourselves from falling for social engineering?
I think there are a few things. Number one, a lot of social engineering attempts try to really push you. It’s very time-sensitive. “Look, I’m only going to be in town for this one day. Do you want to meet then?” Or something like that.
Somebody calls you on the phone, and it might be Friday at 4:00 PM. They’re like, “Look, I am sorry. It’s the last minute of the day. I’m calling you. I just need to wrap this stuff up before going home.” It’s really like a social-engineering call. A call that’s trying to trick you. If you can just slow down and say, “You know what, call me on Monday. Sorry, we can’t work it out today. I’m busy too” or something.
Watch out for when somebody is really trying to push hard on you and that you don’t know. And say, “Hey, wait a minute. They’re rushing me in a way that’s making me feel uncomfortable. I don’t like this.” We all have this sense of, “Oh, I just want to help. Yeah, sure, it’s Friday. Let’s get this help…whatever it is you needed help with.” Sometimes people call and they’re like, “I’m part of HR. You didn’t sign your bonus check properly. Can you go to this website and sign it for me?”A common social-engineering ploy is someone trying to rush you or make you feel like you have to make a decision right away. -Jack Rhysider Click To Tweet
It seems right. It seems legit and stuff. But it’s like, “Okay, this is odd.” Another thing you can do is hang up and call them back. Because you’re like, “Okay, I know the number to HR. Where are you at? Maybe you’re in the same office as me or something.” Hang up and walk over there. “Did you just call me and ask me to sign a bonus check?”
This is a big thing too. You got Indian scammers who will call and act like they’re from Microsoft, or even saying you have some unpaid taxes or something. You can hang up and call Microsoft and say, ‘What’s the deal with my license” or something. Or the tax center—IRS—and say, “Is there a problem with my taxes?” These are the two big scams.
Those are two big things that come to mind. Watch out for someone pushing you to go too fast that you don’t know. Hang up and call the person back on a number you know.
I know. I recently got a phone call and the gentleman said, “Hey, I’m trying to reach Sally.” I’m like, “Oh, there’s no Sally here.” Sometimes I like taking these calls because I want to see what the scammer has. A phone number I don’t recognize. I listen to the call—what’s the latest scam? The guy’s like, “Hey, I can’t get ahold of Sally.” I’m like, “Well, there’s no Sally here. How can I help you?” “Oh, yeah. I’m calling to follow up on my stimulus check.”
I’m like, “What was Sally doing to help you with it?” “Oh, she was filing all the paperwork to get the stimulus check on my behalf. That way we could expedite it.” I’m like, “Oh, and she gave you this number?” “This is the number she called from.” I’m like, “Oh buddy. What information did you give her?” “Oh, yeah. I gave her my social, my home address, and my bank details.” I’m like, “Oh my gosh, buddy. You just got scammed, or a very good chance you got scammed. Particularly you’re calling back the number she called from because this is my personal cell phone. There’s no Sally here.”
It’s horrible to hear stories like this.
Yeah. It really is. Some other things that you can do to make your tech life better and more secure are to keep updates going on. This is updating apps on your phone, updating the operating system on your phone, updating your computer, and updating the apps on your computer. All these things just keep updated. That’ll give hackers less foothold to try and get in.
Also, try to use a unique, crazy, wild password on every website you have an account for, and that’s impossible for us to memorize. You use a password manager to do that. A password manager is a little tool that says, “Oh, I’ll remember the password for this website. When I go back here, it remembers the password. You can make it as long and as complex as possible. You don’t ever have to remember it. Just the password manager remembers it. It’s a nice handy thing.Use a unique, crazy password on each website that’s impossible to memorize and get hacked. Use a password manager to help. -Jack Rhysider Click To Tweet
I’m not talking about the built-in password remember tool in the browser. This is more of something like LastPass, 1Password, Dashlane, or just other password managers. You can look up which ones are the best and figure out a good one. These are the two big recommendations I have.
When it comes to being hacked, it’s not always about outrunning the hacker entirely. You just want to outrun the other person next to you who’s slower. So they get hacked and not you.
What’s the story?
The bear—running from the bear.
How do you outrun the bear? I don’t have to be faster than the bear. I just have to be faster than you.
Yeah, exactly. The same thing. You just want to make it harder for hackers to get into your stuff so that they target someone else. They give up. Because the harder you make it, the more resources it takes for them. They just give up and go to the next person. At least you weren’t the victim. Even if your company still gets hacked by someone else, at least you can sleep well it wasn’t you.
Yep. What would your thoughts be on how people should behave on social media, then, if the information that we’re making available potentially is used against us?
Oh my gosh. This is a nightmare. Dumpster fire. There is so much stuff people are giving away on social media free that any hacker can use for their advantage. Even if you’re just like, “Hey, I’m going away for a week. I’m going on vacation.” Then everyone knows nobody’s at your house. There are tons of things that are just given out there freely to expose you or make you vulnerable in many different ways.
I’m a big privacy advocate. I don’t like posting anything private on social media. You’ll never see photos of my family or anything out there. I can’t do it. It’s horrible for me. I look at it the same as the ‘90s. We wrecked the environment in a way you let the genie out of the bottle—you can’t really put it back. The stuff we’ve done in the ‘90s is going to take us decades to come back from.
In the current time, we’re doing the same thing with privacy. We’re letting so much stuff get exposed that it’s going to take decades after we realize our big mistake. It’s going to even take decades to peel that back. Number one, we’re just putting so much private information on there. You go to someone’s social media, you can get everything. You can get their sexual orientation, where they live, where they work, where they went to school, who their best friends are, and who their family is.
If you were a private eye 40 years ago, this would be hard to get. But now you have everything and you can look at their photos and start figuring out exactly where they are every minute of the day.
I’m appalled at the trivia games that I see people play. It’s like, “Post the name of your first pet.” I’m like, “Uh, that’s a security question.” “Where did you go to high school?” Security question. “What’s your mother’s maiden name?” Maybe it doesn’t go quite that far. I see these games one after another. It’s like, “Dude, these are security questions, people. Stop answering.”
Yeah. The story that comes to mind there is when Sarah Palin’s email got hacked. The person just went to her Google address and her Gmail address. They said, “I forgot the password.” It said, “Here are some recovery questions. What high school did you go to?” Everyone knows what high school Sarah Palin went to because she was boasting about it on TV at the time. It was like, “Well, here it is.” Those recovery questions are easy to get if you’re putting so much information on social media.
Then I guess the things you should also watch out for is probably a warning sign that something is happening. If you have two-factor authentication turned on. If you’re getting those alerts saying you’re not trying to log in to the account, but you’re getting a token saying, “Hey, here’s your six-digit code.”
Yup. Two-factor is a big help. I just want to emphasize now we’re around this topic. The third thing you should do after updating your stuff, getting a password manager. The third thing is to really protect your email address. Because when someone has access to your email account, they can get in and look at all your emails. They can reset any other password you have for any other account that you use to register. They can get into everything else that you have.Protect your email address. If someone can look at your emails, they can reset passwords for any other account you have. -Jack Rhysider Click To Tweet
If you have a bank, they can go to the bank and say, “Oh, I forgot my password.” It says, ‘We’ll email you a new password. Here.” Now you can just say, “Go ahead, email me a new password or let me reset it,” and then you can go to the email address because you’re in the email. You can get resets for everything.
Years ago, we used to really protect our social security number. We didn’t like it getting out anywhere. Today, the thing is to protect your email. Don’t let other people access your email. Obviously, don’t share it with other people, don’t share the password, and don’t share the access. Watch what other apps have access to it. Sometimes you can connect a third-party app into it. Just really protect it.
If you have a partner—a boyfriend or girlfriend—and they know a lot about you, they might know your password and stuff. If you break up with them, change your password because you never know what they’re going to do later. It might be a good idea to just change your password every year and just keep it changed. You really need to protect your email address because that’s access to everything in your world.
To me, that’s one of the scary things. I get these requests for help because of my website. “Someone got into my Gmail account and changed my password. Can you help me?” I can’t help you at all. Almost the scarier thing for me is not that someone got in and changed the password, but they got in, and they didn’t change the password. They can just be sitting in my Gmail account or whatever account and just watching the messages come in. They can send the reset emails and then as soon they’ve got the reset, delete. I’m none the wiser that my account is being used right under my nose.
Gmail’s attacked a million times a day in this particular way. They’ve got some tools setup for this. At the bottom of Gmail, you can see the last few IP addresses that have connected to Gmail. You can see, “that’s my phone, that’s my home computer, but what’s this IP address?” So you can look there.
But they also typically send you an email when somebody connects that wasn’t typical. If you got a new computer, you’ll get an email that says, “Oh, somebody connected with this new computer to your Gmail address.” The thing you’ve got to watch out for is that person might delete that email right away.
You have to be vigilant of, “Oh, let me look at that right now and not later.” Two-factor identification helps, you’re right. Are you using that token code? And just being very vigilant about that.
If you get a phone call and then you start getting the SMS, calls come in and have been in coordination with one another. I remember there was this banking scam that I had read about one time where the scammer would call the person. They already had the password, but they didn’t have the SMS code. They would call the person and say, “Hey, this is so-and-so with their bank. Someone has gained access to your account. We think they’re in it right now.” They would trigger the SMS. “Oh, see, we just saw them request the SMS code.” They would ask these questions. Eventually, they would ask, “Hey, if you want us to stop the person from accessing the account, and to prove that you are in control, give us that code over the phone.”
And now they have access to the account. And then they would start doing things. The scammer would set up an outbound wire transfer. That would result in a text message being sent to the individual, which required them to answer yes, no, or something like that. They would verbally say, “Hey, I’m going to send you a text message. Do you want me to lock the scammer out of your account? Type ‘yes.’” The yes response is the “Yes, set up the outbound transfer.” It was so well coordinated, it was scary.
Yeah. I have a story where I have been with a scam where I bought something on eBay. I was trying to buy a camera on eBay and the auction got canceled. I was like, “Oh, okay.” I was only like 18 at the time. I didn’t have a lot of money, but I wanted this camera. They said, “Well, listen. We still have the camera. The person who bought it fell through. If you want to buy it, please send us the money through Western Union.”
I was like, “No way.” We went back and forth for like a month of them convincing me. “No, I have the camera. You can get it at the price that you bid. Let’s just get this done. I would never scam you. I’m very religious, and I’ve been praying for your health this whole time.” This person really groomed me for a month. I went back and forth and I finally said, “Okay, I’ll take the gamble. And I sent the money and I never got nothing.”
I sent it to Western Union all the way to Poland. That should have been my first-time indicator. I was naive and young. I didn’t get it. These are lessons that you learn that I really, really took seriously for the rest of my life. Like, okay, be very careful online when dealing with this stuff.
The funny joke is, I don’t know anybody—I’m probably a little bit older than you—but I still don’t know anybody that has ever used Western Union legitimately. Anytime anyone says Western Union, they didn’t even have to give me any other circumstances. I just say scam.
Yeah. I was really upset at Western Union because I called them afterward and I said, “Okay, listen. I need to reverse this charge, or you need to tell me who picked this up. Let’s open an investigation. How do I get you to contact the police because I’ve been scammed?” They did nothing to help at all. They would not tell me the location of who picked up the money or anything.
I was like, “What if I get the police on the phone and ask you? Can you help then?” And they’re like, “No.” I was like, “Okay.” I was convinced at that moment—and for the rest of my life—that Western Union helps scammers, harbors them, and protects them. It’s really, really frustrating.
I agree with you that there’s typically no reason to use Western Union. The people who use it are in desperate situations where they’re having to send money quickly to somebody that you know—a family member. I would only use it to send to other family members if you’re really in a desperate situation. Because it means you can send cash to someone, and they can get it right then. That’s the thing. But man, do criminals love that.
Yep, and no utility bills. No company ever wants to get paid with Amazon gift cards or Apple gift cards.
Yeah. That is another clue. If somebody is asking you to go buy gift cards to pay you for something—that’s a red flag. You should never do that.
Anything that’s even outside of the norm. If you always do an EFT (Electronic Funds Transfer) with your utility company and they now want your credit card number. “Wait, wait. What’s going on? Why do you need my credit card number? This is different than normal.” A number of companies that I deal with don’t even take credit cards. That to me would be one of the biggest red flags is that they’re asking for something that they don’t take.
Yeah. That’s a good point.
Back to social engineering. Do you see or have stories where people are being called at home and personally trying to get information out of them—family members—or things like that? Or do you see it more on the corporation side of trying to get into client systems?
My dad gets a call once a week from India on problems with his computer. Definitely people are getting called at home. India has figured out a way to monetize this in quite an interesting way. It’s illegal there and people get arrested in India quite frequently. It doesn’t seem like it’s going down. As soon as one gets shut down, another one pops up. It’s a criminal market there.
They are just calling one number after another in the phone book. They’re calling everyone and anyone. Another thing is targeting the elderly and saying, “Okay, your grandson is in trouble. He was traveling abroad, and he doesn’t have the money to get back. He said I could call you and see if you can settle some debts with him.” You know the grandparents, “Oh, definitely. I’ll help little Johnny out of the situation he’s in if he’s traveling and he can’t get home.” Because the elderly don’t know that we have a million ways to communicate home. They think the only thing you have is a phone, but you don’t have a quarter to call so you’re stuck. They just think that’s the situation.
I have a friend who’s a grandfather. He got that phone call. Your grandson has been arrested. He’s calling for you to bail him out. It was a minor infraction. It’s $500 to get them out. He goes, “Where was he picked up? Was he picked up for whatever?” He’s like, “That’s funny. My grandson’s only five. I don’t think he’s capable of that.” Luckily, he was smarter. Obviously, the kid was not the right age bracket for the scam, but he was also aware enough of those types of scams to not fall for it.
To me, that’s part of why I do the podcast. Awareness helps people at least at the beginning levels of starting to think critically when things are unexpected. If you didn’t call your bank and they’re calling you, in some sense that should be a red flag. Not that it’s guaranteed to be wrong. But you should at least say, “Okay, I need to put on my is-this-really-my-bank cap.”
Yeah. What I’ve done with my dad is I’ve set up a code word so that if he’s in a situation or I’m in a situation where we’re actually in need of help, we can tell the person to call, use this code word. My dad and I know this word. We know it’s legit at that point. My dad is hilarious and loves to get these scam calls because he just laughs so hard with what he’s doing with them.
If somebody calls him and says, “Oh your son got arrested.” Oh my gosh, he would have a great time with that. He would love that call. He’s prepared. Because he knows there’s no way unless he has the code word. He assumes that it’s just a scam, to begin with. It’s good that he’s on the right side of the assumption to start with.
My wife and I are similar to you. That when we travel, we tell certain people we’re going on vacation. “Here’s where we’re going to be. Here’s when we’re going to be. If you get any correspondence from us that’s not consistent with what we’re doing, you need to really verify that it is a real situation and not a scam.” We don’t want our families to fall victim to that sort of stuff.
A couple of other things are coming to mind here. There has been some stimulus check scamming going on. People have been filing unemployment on your behalf even though you never quit your job or got fired. Somebody’s doing that. That’s another time where an individual is targeted. They’re not really targeted because it’s the US Treasury that is targeted, but money is taken in your name.
Which could become problematic later on if there are taxes for that. Unemployment—you have tax obligations with that in the US.
This is a story that I got yesterday. This guy was a spammer. He was going to email a bunch of people to buy medicine—pharmacy supplies from an illegal pharmacy. His idea was to find a list of email addresses of people who are ex-drug addicts thinking, “Hey, if I can target them, then I will have a better chance of getting them.” He felt so bad about this many years later. But the idea was, they’ll be more vulnerable to getting in on this pharmacy stuff. If you can say, “Hey, I’ve got some opioids available at this pharmacy. You can buy it on the internet.” That person’s just getting off of drug rehab. Man, that’s tempting all of a sudden.
That’s why he was targeting those people. You have to also be aware of what your vulnerabilities or weaknesses are. If you have a weakness towards anyone who has a sick cat, you don’t mind helping out. Now somebody’s emailing you, “I’ve got this sick cat. Can you please send $200 to help me get to the vet?” “Okay, here you go.” If you recognize these are your weaknesses or something, then you can also recognize that might be an avenue for someone to scam you.
That’s the common thing on the relationship scams and the people they meet online. They build this relationship very quickly and then, “Gosh, my kid is sick, my mom is sick, or my pet is sick. I need to get to this other country because of this emergency. Can you help out?”
I tried to reverse a scam once where I got a burner phone because I was going to a security conference. I didn’t want my real phone there because there were hackers everywhere.
I got a prepaid cell phone for the weekend. I started getting text messages on this number because this was a brand-new number. I didn't even have this phone before, but this person was trying to scam me. They’re like, “Hey, I’m in a desperate situation. Can you please send some money?” And I was like, “Do I know you?” And they’re like, “No. But I know that you can help out in situations” or something like this. I reversed it. I said, “Listen, I’m stranded right now. I have no money. My boyfriend just left me. I don’t have a way home. I’m stuck. I would totally help you, but I am stuck and I can’t get home.”
I knew what they were doing was a scam. There were some clues about it that just didn’t add up. They were like, “Oh, how do you need help?” I’m like, “I need $100 sent to me.” I tried to reverse the whole thing, but they ended up saying, “Call me back when you get home.”
If you help me out with $100, I could help you out with $1000 later.
Yeah. It was a lot of fun to try to get them back, but it never happened.
I would assume that most scammers are pretty wise these days to people trying to flip the scam on them.
I don’t know. I don’t know if they’re the smartest bunch sometimes.
Okay. I amend my statement. That’s true. I’ve dealt with some very dim-witted scammers from time to time.
For your podcast, you talk more in-depth about these types of scams and hacking cases?
Yeah, definitely. Social engineering is one of the favorites that people like listening to. Like I was saying, people get hired to go and break into offices to see if the office is secure. That’s one of the favorites that people have. We cover a lot of episodes like that. But then I also hear from the criminals too on how they actually broke in and did stuff. We hear from that perspective. Sometimes they hear from law enforcement, and I interview all these people to hear how they catch the criminals—what they did to make a mistake to get their tracks.
It’s a fun show where you really learn about the technical aspects of what’s going on out there and how it works. I think a lot of people, it’s top of mind right now. Hackers are breaking in everything. When you hear that, you have this thought in your head of, “Oh, hackers—people in a hoodie in the basement or something.” There’s this immediate thing. I like to really slow down and say, “Okay, this is what they did. They found the password written underneath the keyboard. How is that hacking? Is that even hacking? That’s just laying a password.” It wasn’t quite a hacker, but it was somebody who had access that they shouldn’t have access.
We get into the weeds of it. And then you start understanding like, “Oh wow, I could have done that. That’s a simple Google search. I could have done that.” That’s what we get into, and it’s really eye-opening for a lot of people.
If people want to find that podcast, what’s the name and where can they find it?
Darknet Diaries, and you can find it anywhere you can find a podcast or go to darknetdiaries.com.
You’ve been running it for several years now?
Yup. We just finished up episode 73. There’s quite a lot to check out.
That is totally exciting. I look forward to listening to it. My wife and I, during the lockdown, we’ve binged everything that we have had access to. We’ve gone through all the crime shows. We’re getting into the Dateline stories now. I think this is going to be a great addition to our listening.