Cybercrime continues to evolve in sophistication and scale, with attackers running their operations much like businesses. From ransomware gangs with customer support desks to AI-generated phishing campaigns that erase traditional red flags, scams are becoming harder to detect and stop.
In this episode, David Bittner, host of the CyberWire Daily Podcast, shares his perspective on the changing landscape of fraud and cyberattacks. Drawing on his background in media, theater, and podcasting, as well as years of reporting on security issues, he explains how both criminals and defenders are using AI, why ransomware has exploded instead of fading, and how scams exploit human trust and expectations.
David also talks about common scams hitting people today, from toll violation texts and fake bank calls to romance scams on social media. He recounts personal experiences of being targeted, including a Facebook credential-harvesting attempt and an exit-ramp “out of gas” con, to show that no one is immune. Looking ahead, he predicts existing scams will keep evolving, AI will continue to raise the stakes, and defenders may eventually need AI “agents” watching out for them in real time.
“Scams work best when they align with what’s going on in your everyday life. That’s when we’re all most vulnerable.” - David Bittner Share on XShow Notes:
- [02:00] David explains how CyberWire grew from a daily news brief into a full podcast network covering cybersecurity.
- [04:21] David recalls his background in media, theater, and early computer culture that shaped his path.
- [05:52] We hear how luck, timing, and technical skills combined to make podcasting a success for him.
- [07:17] David shares why he believes AI is the biggest change to cybersecurity in the past decade.
- [08:00] He notes that bad grammar is no longer a reliable phishing red flag thanks to large language models.
- [10:11] We discuss how phishing awareness training must adapt to more convincing scams.
- [12:30] He reflects on the unexpected rise of ransomware compared to early predictions about cryptomining.
- [14:08] David explains how ransomware groups now operate like corporations with support teams.
- [16:00] He raises concerns about ransom payments funding overseas criminal networks in Russia and North Korea.
- [18:15] We learn how scammers use call centers and human trafficking to scale their operations.
- [19:30] David describes current scam trends, including fake toll violation texts and AWS account alerts.
- [21:32] He points out how romance scams thrive on social media platforms like Facebook.
- [22:16] David recounts a frightening call where his mother was nearly scammed by criminals posing as bank security.
- [25:09] He emphasizes how scammers manipulate victims to stay locked into the story and ignore warnings.
- [26:03] We hear how criminals pressure victims into withdrawing cash, buying gold, or handing funds to unwitting couriers.
- [27:00] David shares a case where a delivery driver was tragically killed after being caught up in a scam pickup.
- [29:00] He talks about his own experiences of being scammed, including a Facebook credential-harvesting attempt.
- [32:08] David recalls falling for an “out of gas” roadside con and explains why he still prefers trusting people.
- [34:00] He reflects on how vague scam messages exploit imagination and insecurities.
- [36:08] We hear examples of scams that exploit real-life contexts, such as HR benefits or package deliveries.
- [37:45] David explains his current vigilance with real estate transactions and wire transfer fraud.
- [39:26] He predicts the next wave of scams will be evolutions of what already works, boosted by AI.
- [40:07] David outlines the persistence of “treasure box” and inheritance scams dating back hundreds of years.
- [41:02] He shares his hope that future AI “agents” will act as a safeguard for vulnerable users.
- [42:21] David speculates about “nuisance ransomware” that charges small amounts to fly under the radar.
- [43:25] He jokes about calling it “inconvenienceware” and wonders if such a niche could emerge.
- [44:39] David directs listeners to CyberWire.com to explore his podcasts and resources.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- CyberWire Daily
- Hacking Humans
- Caveat
- CyberWire
Transcript:
Dave, thank you so much for coming on the podcast today.
It is my pleasure. Thanks for the invitation. I appreciate it.
I'm so glad to have you here. Can you give the audience a little bit of background about who you are and what you do?
Most people probably know me from being the host of the CyberWire Daily podcast, which is as it is named, a daily podcast having to do with cybersecurity. We publish five days a week. The idea for the CyberWire is that if you listen to the CyberWire every day, you will know what you need to know about cybersecurity as a cybersecurity professional. You won't be surprised when you walk into your daily meeting with the people you work with. We're not going to give you every detail about everything, but at least you'll have general awareness of what you're up to. That's the main thing I do.
There are a couple other podcasts I do. There's one called Hacking Humans, which we were lucky enough to have you be a guest on a while back. There's a policy podcast called Caveat, and then we do a weekly show on research called Research Saturday. Those are the main ones that I do, and that's a lot.
Yeah, that is. What got you started in these podcasts?
I have a background in media and video. Actually, beyond that, I have a background in theater, voiceover, and all those kinds of things. About 10 years ago, I took on a job with a cybersecurity company in Baltimore who was already publishing the CyberWire as a daily email news brief. I was the in-house video communications guy. I suggested to them, “Hey, let's do a podcast version of this.” They said, “Oh, well, that's cool. Let's give it a shot.” We did, and it ended up taking off. We spun it out into its own company about 10 years ago. We've been really fortunate and worked really hard, and it's been a success.
My background is not as a practitioner of cybersecurity stuff. I did come up during the original round of 8-bit computers and bulletin board systems. In my early teens, I did my share of phone freaking and all that stuff. I say I definitely dabbled in the early days of cybersecurity.
For about 20 years, I had my own media production company, and I was in charge of cybersecurity for that company. I'd say I came into cyber with an above-average amount of knowledge, but certainly not expert knowledge. Over the years, I'd say at least the first year or so of doing the CyberWire Daily was just a fire hose of learning information. I was lucky enough to have people around me who could patiently teach me what I needed to know, tell me how to pronounce things, and all that stuff. That's what led me to where I am today.
OK. I'm going to go on a huge tangent here since you talked about pronunciation. Is it jif or gif?
I am gif. Yeah, I'm definitely a team gif. Yeah, for sure.
It's a total tangent there. I apologize. You and I have the same coming of age in the computer age. I ran a BBS out here in California. I remember that I had the biggest BBS with a 5-meg hard drive.
What was it called? I might have visited it back in the day.
The Citadel. I think I even spelled it wrong.
Yeah, I remember the Citadel for sure.
What did we do? We had Phytonet at some point. I had a whopping two telephone lines back in the old days.
Yeah, absolutely.
All that fun stuff from the old days.
I was able to call you in California because of phone freaking.
That's the one I never did. Participating in Phytonet was really expensive because I had to make a long distance call to get my local node feeds of all the posts and stuff like that.
Yeah. That's great.
When you had the opportunity to start the CyberWire, was it just a different venue, a different medium of the material, or were you like, “I've always dreamed of being a podcast host,” even though podcasting has probably not been around a whole lot then?
No. I had no aspirations to be a big-time podcast host or whatever that means. It was just that, as luck would have it, many of the things that I had done my entire life all contributed to being able to make a run at being successful at podcasting. I'd been doing professional voiceover since I was about eight. I was a theater kid. I had the technical knowledge from the computers when I was a teenager.
My career in video and multimedia contributed to my understanding of computers, networks, and all that stuff. I knew how to edit, and I knew how to make audio that sounded good. All of those things came together and made it so that when we had a little tiny team of people who wanted to make a run at this professional podcasting thing, there were a lot of different things that I could contribute. I just got lucky.
Right place, right time with the right resources to make the opportunity work.
Right. It's that old saying that luck favors the prepared mind, I think. I forget who said that, one of the old philosophers.
I'm totally in alignment with that thought. I had the opportunity to start whatismyipaddress.com way back 25 years ago. I'm dating myself. It was just the same thing, right place, right time with the resources to do something about it.
Yeah.
I'm curious. Because you've been doing this for 10 years, what are some of the biggest changes that you've seen in terms of cybersecurity and cybercrime?
I don't think it's exaggerating to say that the introduction of a large language model artificial intelligence is a once-in-a-lifetime event for most of us. We don't know where it's going to go, but it certainly has changed things.… Share on XI think it's fair to say the biggest thing is AI, for sure. I don't think it's exaggerating to say that the introduction of a large language model artificial intelligence is a once-in-a-lifetime event for most of us. We don't know where it's going to go, but it certainly has changed things. For both criminals and defenders, it made a huge difference.
You know that one of the tells for a phishing email was bad grammar. That's gone now. You can throw anything at ChatGPT and say, “Please proofread this and make it have perfect American English grammar.” It will come out the other side flawless. It's taken away some of the common tells for the scams. I think it also allowed a lot of the scammers to operate at scale where they can just churn things out. It's much easier for them to customize their scams to people at scale than it used to be.
On the defender side, they're using the tools as well. They can do a much more effective job at scanning for scams and so on. A lot of this stuff, we don't even see behind the scenes. If you've got a Gmail account, that's being actively scanned all the time.
Just think about run-of-the-mill spam. I think of spam as being pretty much a solved problem. It's very rare for a piece of true spam—the old Viagra emails—to make it through to my inbox. They're in there, but we don't see those anymore. Hopefully that's where we're headed with scam emails as well, the phishing emails and stuff like that. Do you agree with that, or do you think AI is a biggie?
Yes, I absolutely believe that AI is, has been, and will continue to be a big deal on the scam side because it does deal with so many of the telltale signs that I used to talk about five years ago. It's the grammar, it's the wrong logos, it's the weird formatting, the grammar issues, the punctuation issues. All those little things totally go away. Even the voice of the email, you can now feed AI and say, “Hey, here's what I'm trying to say, but I want it to sound like it's coming from a blue chip corporate entity from their policy department,” and it reads like that. Or, “I want to write it like it's coming from whatever your local friendly brand is,” and they have a particular style.
AI is so easily able to mimic those styles that you lose that—I forget what the terminology is. This doesn't sound like the brand that I'm used to that would normally put up the spidey senses and the hair on the back of your neck go up. When all those things are there, it now just becomes the general paranoia that you now have to have of, “Is any email that I'm getting really from who it's supposedly from?”
Yeah. Even things like phishing tests for security awareness training. The sophistication that has to grow for those because it's a different game now.
Yeah. I don't know the days of the Nigerian Prince email. I don't know that those will ever be gone, but I don't think those are going to be the big scams anymore. Those are not going to be the things that are predominantly getting. Mind you, I still see them in my spam folder. I still get people contacting me saying they've fallen victim to them. That used to be the bulk of what I would get, and now it's a lot more carefully crafted stuff.
Yeah. I'd say, another thing that was noteworthy is the explosion of ransomware, because years ago, when ransomware and crypto mining were coming up at the same time, a lot of people in cybersecurity thought that ransomware was going to fade away and that crypto mining was going to become a really hot thing. More so than ransomware, crypto mining's a victimless crime in that I can install something on your computer, it runs at night while you're asleep, it mines crypto, you probably won't notice, and it's not using that much electricity. It's not going to hurt you.
The opposite happened because ransomware folks went from what I categorize as nuisance ransomware trying to come at you for $50 or a hundred dollars to go after the big corporations for millions of dollars. I don't know that a lot of people saw that coming or would've predicted that that was the direction that it went in. That seems here to stay.
I get both sides of the argument. It's a really weird problem in that corporations have the money to pay the ransoms. It comes down to the question of, “Is it just better for our business? Can we get back up and running faster if we just pay it than if we try to not pay it, do all the restore, and do all the work that we've got to do?” It just becomes a pragmatic question. It seems like an awful lot of corporations are just paying it just to move on.
The ransomware operators are running like businesses. They have tech support. They literally have tech support. Different people take care of different tasks within the organization. -David Bittner Share on XYeah. The ransomware operators are running like businesses. They have tech support. They literally have tech support. Different people take care of different tasks within the organization. Most of the big ones—not quite correct way to say this—have integrity. In other words, you pay the ransom and chances are, you will either get your data back or your data will not be shared because the ransom operators want to have a reputation that will get them paid. What a world, right?
It is a really weird world when the criminals have to maintain a certain reputation of honesty and integrity.
Right.
Most of the big ones—not quite correct way to say this—have integrity. In other words, you pay the ransom and chances are, you will either get your data back or your data will not be shared because the ransom operators want to have… Share on XAlthough there's no honor among thieves, but if they weren't consistent about the way they behaved, then no one would ever bother to pay.
Right, exactly. That's what we see. I think it's going to be interesting to see how this plays out. We are seeing more and more legislation around the world, where organizations have to report if they've paid the ransom. We're not seeing very much in terms of actual banning of payments, but who knows? It is definitely going to evolve.
Is that a discussion you've had on the policy show?
Yeah. There are folks who think that the payment of ransom should be banned, particularly to overseas organizations. What are we funding here? Are we funding Russian criminals? Are we funding North Korea? The answer to both of those is yes.
If the federal government said paying the ransom is illegal, that takes away a big incentive of the ransomware operators, but it would also create a black market because there will still be plenty of people who are paying under the table, paying through a foreign subsidiary, or paying through a third party, which already happens. There are plenty of cases where people get popped with ransomware, their insurance company pays the fee, and they say, “We had a cyber issue for a couple days,” and don't admit to it being a ransomware attack.
“It's just a payment to our insurance company or our law firm. They just sent us a bill and we just paid it.”
Yeah. The flip side of that is, I think a good side effect of all this is that the insurance companies are being much more demanding to organizations to get the insurance. If you want to have ransomware insurance, you need to demonstrate that you are observing best practices, or they won't cover you. It's good for the ecosystem. I guess.
If you want to have ransomware insurance, you need to demonstrate that you are observing best practices, or they won't cover you. -David Bittner Share on XIt increases the overall bar somewhat and reduces the challenges. To me, the thing that has gotten more squirrelly is that seems that a lot more of the criminal enterprises are no longer relying on their own teams, but are relying on human trafficking. Rather, just paying the people that are part of your criminal enterprise, you've now turned around and are exploiting other people to do the work for you.
Right. Yeah. We hear these stories as the sweat shops and people being kidnapped. I don't think slavery is too harsh of a word for what's happening to them. They're shipped off to countries under false pretenses, their passports are taken away, and they're put to work under the threat of violence. Some of them are in these call centers that are calling folks like you, me, our loved ones, our parents, and trying to rip them off.
Speaking of call centers, what is the phone call or text message [inaudible 00:17:07] that you're getting?
Gosh. You mean the top scams?
Yeah. There's always something going on in the wider market, but what are you personally seeing?
I think the real hot one right now is unpaid traffic tolls. That seems to be the hot thing. You must pay this now or your license will be suspended, and those seem to be hitting nationwide. They're relentless. My wife got one just yesterday that was an Amazon account issue that, “Your storage is going to be changed, so we need you to log in and change these settings.”
My sense is that a lot of them are getting more subtle. Instead of, “If you don't pay right now, something bad is going to happen.” It's more, “Hey, we're making a little change here, so we need you to log in to help us make this change.” What they're after is your login credentials, which they will either sell or use to get into your account and go from there.
Because that's one of those red flags that we always talk about. If there's fear and alarm, watch out. When it's just, “Hey, this is just a routine update. We’re up-leveling our security and we need you to reset your password or re-authenticate to make sure that your account continues to be secure.” You're like, “Oh, I want to do that. OK, I can do that.”
Right. Yeah, you get an email that says, “Good news. We’re making you safer.” I want to be safer.
I like that. As opposed to, “Bad news. We've dumped all your data.”
Right. Or, “We just charged you $500 for a McAfee Antivirus.”
Those ones have been weirdly unique in that they are, at least for me, always like PDF attachments. It's like, why in this particular scam, they've utilized PDF attachments as their vehicle as opposed to, why not just a regular email that I would get from any vendor?
Yeah. I'm sure you know the answer to that is that PDFs aren't scanned as thoroughly as the text of your email is. You know they do A/B testing to see what gets through. They do it because it works.
Yeah. The weird thing to me is seeing what gets through and is more frequent. That's what's working. I try to think back in my head, “Well, why does this work better than these other things?” The scary thing about the platforms that the scammers are using is gone from the joke of the guy in his mom's basement trying to steal money from people to these are run as businesses, and they're always trying to fine tune their business practice. They're always trying to be more efficient and change their playbook to be more successful. Anything that any other business would do, it's just that their product is theft.
Yeah, and it's a global industry.
We talked about the toll road violation text messages. I still get the random like, “Oh, hey. Are we going to meet at the golf course today?” “OK, yeah. You're trying to build a relationship here. You're trying to do something.” Are there any other ones that you're seeing that are particularly aggressive right now?
You always have the romance scams. You'll see those on social media a lot. Facebook is the worst. I was trying to come up with a friendly euphemism, but let's just say it. They are not effective at blocking the various scams that appear on their platform. Romance scams are a big one.
Just today, I got an invite to a friend request from a classic military veteran in uniform, has 12 friends on Facebook, and a dozen posts that are all inspirational messages about this, that and the other. I don't know why he was targeting me, a man. Typically they go after women, but very common. I have a sister who gets these by the handful every day. Again, they use them because they work.
When you say aggressive, I think of the scams where they will get someone on the phone. They'll get an elderly person on the phone. This actually happened to my mother once, and I caught it in the midst of it.
My mother was on the phone with someone who was telling her she had to do something that she was in the midst of being scammed, and they were there to help her. I just happened to drop by to visit while she was on the phone and I could see that my mother was all worked up about something. I was like, “Mom, what's wrong?” She said, “These people on the phone are telling me…” I said, “Hang up the phone, mom.” “But they're telling me…” “Hang up the phone.” “But they're telling me it's a scam.” “Hang up.” “But they're telling me…” “Hand me the phone, mom. I'm up for it.”
What they are doing is they're getting people on the phone. They're either getting them to go to the store to buy gift cards or getting them to go to the bank to transfer money. A recent wrinkle in the bank scams that we were talking about just a couple weeks ago over on our Hacking Humans podcast was they will get someone on the phone, they will tell them that they are from bank security, that there is a problem with their account, that they need them to go to the bank to transfer these funds, but the people at the bank are in on the scam. When you get to the bank, they're going to try to tell you not to do this.
They're going to ask you all sorts of questions, “But trust me, I'm from bank security. We're going to take care of them later. Right now, we just need to protect you. We need to get your money somewhere where it's safe.” That person goes to the bank, they're on the phone. The bad guys will actually ask you if you have AirPods or an in-ear type of headset. They'll ask you to use that so that you're not visually on the phone while they're walking you through everything to say to the bank teller to transfer the money and to deny.
Here's the thing, Chris. Bank tellers and cashiers are all trained now to look for these things. If you or I walked up to a cashier with a dozen gift cards, they would say, “Hold on. Why are you doing this?” Tip of the hat to them for being well-trained to do it, same with bank tellers. The scammers have had to up their game. When you're manipulating someone like that one-on-one, it's despicable. Your heart breaks for the people who fall for that. Lots of people lose their life savings.
Yeah. It's awful because I think once people are bullied into the initial story, they're so tied into the story that they can't see the logic of getting out of the story. If you know that the bad guys are at that branch, “Let me just go to this other branch where you know there's no bad guys.”
Right.
Or, “My gosh, if you have bad people at every branch, I just need to take my money to another bank. Why should I trust your security department? If there's so many bad guys at every single branch office, clearly you have an institutional problem, and I just need to move my money out of the institution.”
Right.
They tell such a good narrative. They use all these manipulation techniques. They're professionals at manipulating people's mind and getting you so tunnel-visioned that that's the only path that people see as the right path for them to do.
Some of them will get you to withdraw cash and/or they will convert that cash into gold bars. They'll get you to go buy gold, and then they'll send a delivery person to come pick up either the cash or the gold bars. The delivery person isn't in on the scam. They're just a money mule. They're innocent in all of this. They're just doing a delivery. They don't know what's in that bag, box, or shoebox that you're handing over. It becomes untraceable. It gets caught back.
There was a recent story out here in Los Angeles—I think the story was in Los Angeles, I should preface—where someone had been a victim of one of the bank scams. The courier was coming to pick up the money, and it was just an Uber package delivery guy. When he showed up at the front door, the guy just shot him through the front door and killed him. He was just hired to go pick up a package and take it from point A to point B. He wasn't involved in the scam, knew nothing about what was happening, and he just got caught up with someone who was suspicious. Whether he thought the guy was there to steal the money or deliver it, he was just so paranoid about it that he ended up killing the person, which is like, “Oh, my gosh. It's spilling out into the street, so to speak, beyond the original scam.”
Right, absolutely.
You are telling the story about your mom. Have you ever been a victim of a scam, a fraud, or a cybersecurity incident?
I have. There are two incidents that come to mind. Let me lead into this, Chris, by saying that I have made a deliberate life decision to not go through life being cynical and untrusting of my fellow man and woman.
Good for you.
We all have days where all you want to do is be cynical, but I would rather occasionally be scammed or lose some money rather than go through life and considering every encounter I have with everyone to be suspicious. I would… Share on XAnd some days, that's hard. We all have days where all you want to do is be cynical, but I would rather occasionally be scammed or lose some money rather than go through life and considering every encounter I have with everyone to be suspicious. I would rather give people the benefit of the doubt. That's just me. Everybody's different. There are probably people out there who hear me say that and say, “He's a fool.” That's OK.
Two incidents that come to mind. One, this was before I was working with the CyberWire. Let's say it was probably about 15 years ago. I was sitting out on my deck in my backyard. I had my mobile device in hand. I got a text message from a dear friend and it said, “Hey, Dave. Did you see this video that you're in?” That's all it said. There was a link. I'm like, “No, what video?” I clicked the link, the link goes to a Facebook login, and I log in. It's not Facebook. They were harvesting my credentials.
My friend's account had been hacked. The bad guys were using my friend's account to reach out to me and then get me to log in to a fake Facebook page so that they could get my credentials. I was lucky enough to figure it out pretty quickly that I was able to change my password, get my credentials back, and all's well that ends well with that one. I felt pretty stupid. I felt like they got me, and it's a terrible feeling.
I know you do this as well. You try to remind your audience that nobody's immune to this. This can happen to anybody. You're not stupid. You're not lazy. You're not an idiot. They just got you. Every now and then, they're going to get you. It's like getting a cold. You can wash your hands, you can clean all the surfaces around you. Every now and then, you're going to get a cold. It's just part of life.
Two, I was driving home one day. I was coming down route 95, big east-west highway here. It goes up and down the East Coast of the US taking the exit off to my town. There, over on the side of the road was a car. There was a man standing next to it and was waving his arms like he needed some help. I thought, “Well, I'm not in a hurry. Perhaps I can lend a hand to this gentleman.” I pulled over and he came up to the car. He said, “I've ran out of gas. Could you give me some money for some gas?” He said, “Here, let me give you some jewelry as a down payment, as a collateral on the money you'll give me for the gas.”
I said, “Look, I don't need any jewelry or anything.” I said, “I'll tell you what. Why don't you get in my car and I'll drive you to the gas station. We could get some gas and I'll drive you back.” He said, “No, no, no. I can't do that. My wife and my children are in the car, and I can't leave them.” He had an excuse for everything.
I gave him a few bucks, and I went along my way. I want to say within 24 hours, I read a news story from state troopers’ report, scammers on exit ramps tricking people into giving them money in exchange for gas. I thought to myself, “I fell for it, but at the same time, that's the price I pay for not being cynical.”
To me, that's a relatively low cost. It's not like “I lost my 401(k)” or “I lost six figures.” It was, “Yeah, I lost a cup of coffee or a couple of cups of coffee.” That's a reasonable loss to tolerate.
Right.
I wonder about the first story that you were telling. Do you think that because of your background in theater and production, you were more likely to open it than if you hadn't? I assume at that point in your life, there probably were videos of you out there, or maybe you had done stuff and maybe someone had filmed something. There might actually be a video of you out there.
You're probably right, Chris. Yes. What I do in my community is I'll volunteer to be the MC at fundraisers, charity events, and things like that. Those sometimes get videotaped. I was probably thinking to myself, “Was there some blooper, or did I say the wrong thing to the wrong person?” My first thought, most people was embarrassing.
I think what's interesting in retrospect is the message that the person sent me was completely nondescript. All it said was, “Hey, Dave. Have you seen this video of you?” My imagination filled in the rest. I'm guessing some people will be like, “There's an awesome video of me out there; I must go check this out. It's a video of me being awesome the way I am always.” My mind immediately went to, “What have I done that's embarrassing? Are my wife and children going to leave me? What have I done?” That's what they do. They let you fill in the gaps and take advantage of your mind, your insecurities, and all those kinds of things.
I know my wife's response to getting that pre-Covid, pre-Zoom life was, “There's no video of me out there.” It was a total non sequitur. It would be like if someone had sent her an email saying, “Oh, I'm so glad that you got hired as the bank president.” “I didn't get hired as a bank president. Delete.” Those things are so outside the scope for her that for her it was like, “That's clearly a scam because there's no video of me out there.”
Right. That said, there must be something out there that she would totally fall for.
Yes.
Some hobby she has. It's something that if somebody did enough digging, they could figure out what her kryptonite is.
When I've asked this question of other guests, and this is why I asked you that question, is the scams that people that are in the industry have fallen for were always things that were in line with their expectations. One of the guys I was talking about, he had ordered something internationally. When he got an email saying, “Hey, your package is caught up in customs.” The mind fills in, “Hey, you are expecting this international package. That must be what this is.” Like you, he just starts filling stuff out and then partway through the process goes, “Wait, they shouldn't need this information. They should already have it,” and then start looking at it and go, “Oh, gosh. It's totally this.”
It was a family member whose account had been compromised, so they started interacting with them, thinking it was their family member. At some point something went sideways, like, “Oh, that's not my family member.” There's always one of those. I think we're all susceptible to a scam when it falls in alignment with what's going on in our everyday life.
Yeah, it's a great point. I think also that vagueness is a red flag.
Yeah, because your mind will fill in the details.
Exactly.
The other one was internal phishing testing. He had, the day before, been talking with someone, about HR, about the benefits package, healthcare, or something like that. He received a phishing email that was talking about, that happened to be the exact same health benefits package or whatever it was that he'd been talking to the HR person on. It was like, “Oh, this is exactly what I was looking for,” and immediately clicked on the link. It was like, “Oh, here I am in cybersecurity, and I was the first person to click on the link because it was exactly what I was expecting to happen.”
Yeah, absolutely. I am in the midst of a family real estate transaction. We have a family member, passed away, so we're in the process of preparing a home to be sold and all those kinds of things. I am terrified right now. I am hyper vigilant of all of the mortgage scams that are out there. I feel on the one hand, advantage that I do this every day, and I've learned about them. On the other hand, I feel really bad for the people who are going to be handling our settlement because I'm going to be so thorough and so nitpicky about all of it. But that's the way you have to be these days.
Imagine if you got an email saying, “Hey, here's the account number where we need you to send this fee release.” You'd be like, “Oh, OK.” Because it's exactly what you're expecting to happen.
Right, exactly.
But good on you to be paranoid. In this one example, outside of this box, you're going to trust everybody, but inside this little box, you won't.
That's right. Do as I say, not as I do.
I think that's realistic. There are areas of life where you're willing to take the calculated risks, and this is an area where you're not willing to take a calculated risk.
That's right, and it goes beyond me. There are other people who are affected by my actions, so it's not just a personal, day-to-day, crossing paths with other people thing. It's much bigger than that. I will be vigilant.
As we start to come in for a landing here, what do you think the next big wave of scams and frauds is going to be? You don't get to say AI. Maybe it's a particular utilization of AI, but you don't get to say, “Oh, AI.”
I was going to say AI, Chris. I think it's going to evolutions of all the things we see now. I'm trying to remember what the term of art for it is. There's a thing called a treasure box scam, which is basically, “Hey, I have this thing of value and I want to share it with you. It came into my hands through happenstance, and I need your help to free it from something that's keeping it from being freed. If you help me, we will split the proceeds.” It turns out that those scams go back to the days of pirates, literally. They're hundreds of years old and we're still using them in the modern age.
We see them all the time. People say, “Hello, I'm from so-and-so in Europe. Your long-lost relative died and left $5 million.” We've all seen those. My point is that I think most of what we'll see is the evolution of things that work. I think AI will make it easier for those things to be more effective, but what I hope is that all of us will eventually have some kind of AI agent. This whole thing of agentic AI will be keeping an eye on us behind the scenes.
When you go on your phone to transfer a lot of money, or you go to give some stranger permission to access your computer or your bank account, this robot is looking over your shoulder and saying, “Hey, are you sure you want to do that? Let me look into that. Why are you doing that?” So that the most vulnerable among us have a backstop. That would be my dream. That's what I would love to see so that it makes it harder for the scammers to get what they want.
I like that.
Yeah. It's hard to predict the future. There's nothing that I've wondered about, like, “Why aren't the bad guys doing this yet?” Because they're pretty thorough.
Unfortunately, yes.
They're highly motivated. If it can be exploited, they're going to figure out a way to do it. I wonder sometimes about nuisance ransomware. In other words, let's say I was a cybersecurity professional and made it through my career. I just didn't do good retirement planning. Time comes and I just have come up short with my finances, but I have skills. What would happen if I unleashed on the world nuisance ransomware? Ransomware that asks for $5, $10, or $20. It slows you down, doesn't really disable anything, gets in your way, and it makes it easier for you to pay than not. Could someone doing that fly under the radar, not be worth pursuit by law enforcement? That's a category I haven't seen open up yet that I wonder about.
Are we going to call it inconvenience wear?
I like it. I'm going to steal that, Chris.
Nuisance wear.
Yeah, because we went from that. We had that for a little while. Ransomware started out like that, and then it jumped to the big numbers. I wonder if there isn't a little market niche for that. Hopefully it will never come to pass, but that's the one that I haven't seen filled so far.
Something small enough that it's not going to attract a whole lot of attention, that they can afford the loss. It's less than a cup of coffee. It's just bothersome more than anything else.
When the person on the side of the road took me for $10, I didn't call the police. It's like, “He took me for $10.” Maybe something like that.
Interesting. I like that. I don't like it, but it's an interesting concept. I like the concept, and I hope it never comes to fruition. Somehow everybody has tuned out and not listened to the last one-and-a-half minutes of our conversation.
That's right.
If people are interested in what you do, and they've been enthralled by your voice and your storytelling abilities, where can they find out more?
The best thing to do is just go to thecyberwire.com and you'll find all of the podcasts that I'm part of right there.
Awesome. Dave, thank you so much for coming on the podcast today. I super appreciate your time.
No, it's been my pleasure.
