Afford Anything - How Hackers Are Stealing Your Retirement $50 at a Time, with former CIA hacker Dr. Eric Cole
Episode Date: June 13, 2025#616: Two school teachers in Ohio saved their entire lives for one dream — buying a farm. When they inherited $1.3 million and found the perfect property for $1.2 million, everything seemed perfe...ct. Five days before closing, they received what looked like a legitimate email from their closing company with wire transfer instructions. They sent the money and showed up at closing, only to discover they'd been scammed. The email was fake, sent by hackers who had infiltrated the closing company's servers for months, waiting for exactly this type of high-value cash deal. That story comes from cybersecurity expert Dr. Eric Cole, who joins us to explain why ordinary people have become prime targets for cybercriminals. Cole, a former CIA hacker who served as cybersecurity commissioner under President Barack Obama and advises high-profile clients including Bill Gates' personal estate, has a message: if you think you're too small to be targeted, you're wrong. While billion-dollar companies deploy teams of 60 cybersecurity professionals, you have virtually no protection. Criminals know this. They're not trying to steal $100 million from one person anymore — they're stealing $50 from thousands of people every month. You probably won't notice the small amounts vanishing from your accounts. Cole calls it "death by a thousand cuts," and it's happening right now. We talk through the most common attacks targeting your money. Bank hacking is simpler than most people realize. All criminals need is your account number — printed on every check you write — and your password. With that information, they can often perform electronic fund transfers of up to 50 percent of your account balance without triggering alerts. We also cover the China-TikTok connection, secure messaging options, and why Cole helped configure President Obama's smartphone to connect to fake cell towers that masked his actual location. Cole's bottom line: cybersecurity isn't just for tech companies anymore. Criminals are targeting ordinary people because we're easier prey than heavily protected corporations. Your money is under threat. Here's how to protect it. Timestamps: Note: Timestamps will vary on individual listening devices based on dynamic advertising run times. The provided timestamps are approximate and may be several minutes off due to changing ad lengths. (0:00) Introduction (1:17) Why ordinary people are cybercrime targets (2:29) The "death by a thousand cuts" (4:05) How criminals destroy your credit with fake accounts (5:19) Cryptocurrency wallet attacks and empty life savings (6:08) Elder scams and the devastating impact on families (8:24) Different types of cyber attacks explained (8:44) Bank hacking (14:25) Phishing scams using fake toll messages (18:53) Ransomware as a legitimate Russian business (23:44) How scams and cybersecurity overlap (35:31) Paula's phone security audit (49:54) Smartphone security for high-profile individuals (54:55) TikTok's data collection and Chinese government access (59:44) Real estate scams targeting cash buyers (1:12:18) Essential security rules (1:27:05) What to keep in a fireproof safe https://affordanything.com/episode616 Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
What if invisible digital threats are putting your money at risk right now?
Cyber security might be the overlooked weak point of your financial plan, because getting scammed,
getting hacked, these are things that could ruin your retirement and put a serious dent in your net worth.
We're going to discuss that and how to protect yourself in today's episode.
Welcome to the Afford Anything podcast, the show that understands you can afford anything
But not everything.
Every choice carries a trade-off.
This show covers five pillars.
Financial Psychology, Increasing Your Income, Investing, Real Estate and Entrepreneurship.
It's Double Eye Fire.
I'm your host, Paula Pant.
I trained in economic reporting at Columbia.
Today's episode focuses on protecting your wealth and protecting your business in the digital age.
Dr. Cole, our guest today, is a former CIA hacker who is now a cybersecurity expert.
who has advised multiple major companies.
He's been inducted into the Infosec Hall of Fame,
and he served on President Obama's Commission on Cybersecurity.
Welcome, Dr. Cole.
Why should any ordinary person who's listening to this right now
care about cybersecurity?
How does it affect their money?
The short answer is you're a target.
Most people don't realize that, because here's the reality,
If you go in and look at a $3 billion company, they have a team of 60 people doing cybersecurity.
You try hacking them, good luck.
You look at some big names like Bill Gates or those types of folks.
They have dedicated people and cybersecurity specialists like me monitoring and tracking their accounts.
You're an advisor to Bill Gates, right?
Yes, it's personal estate.
So you go in and look at those types of folks, good luck, right?
Because most people think cyber attacks.
are going after $100 million from one individual.
The reality is if you go after a small business owner or somebody who owns a dental practice
or even a doctor that works at a hospital or a professional in other fields, they probably
have nobody guarding their security.
They probably have minimal security measures.
And here's the thing.
If I go in and steal $50 from everybody every month, most people won't notice it.
And I'll show you some tricks later.
but most people don't check their credit card statements.
So if there was a $20, $30, $40, $50 deviation, they wouldn't notice it.
So we sort of call it the death by $1,000 cuts.
So the reality is you could have money being drained from your account that over years
could be costing $20,000,000, but it's done so low and so little, you don't even notice it.
So it could have a huge impact.
Second, if you don't have good cybersecurity, I can trick you to going to a website that you think is legit.
and you go in and put in your name, your date of birth, your address, and things like that,
which is very common.
Most people give that out like candy on Halloween.
And you do that, and you have your identity stolen.
Somebody can go in and open credit cards.
It's very common at Costco and Target and these other places, because when you go in to make a purchase,
they say, hey, do you want to open up a credit card?
Right.
Try doing it once.
It's scary, the minimal amount of information you need about somebody.
We get this all the time with our clients where they're opening up multiple credit cards.
They're spending $500 or $800 so it's below the Florida Alert systems.
They know how the Ford Alert system works.
Target, Ford Alert, if you're under $1,100, it won't alert.
So they're going to always stay between $7,800.
They know how to bypass the security system, but then here's the reality.
They open up four or five credit cards in your name.
They run up $8,900.
They go to a bogus address, but they're under your own.
your name, it destroys your credit. So now a lot of my clients, they think they have great credit
because they're always paying off credit cards. They're always doing good financial things. They go to
get a loan or they go to buy a house and they get denied because they have like a 220 credit rating
and they're like, how could this be? And they're like, well, you have five outstanding credit
cards with unpaid debt on it and it destroys your credit. So it can also impact your credit on
that front, it could basically take over your identity, your bank accounts. A big area that we see
a lot of professionals getting burnt on is cryptocurrency. One of the cool things of cryptocurrency
is it's untraceable. That's why people like it. That's why it's used for ransomware and other
attacks. But the problem is a lot of people have their crypto wallets with a password. And those
passwords are known if you use the same password across multiple sites and you're not using two-factor.
And they can go in and empty your wallet.
And we've seen this all the time where I get these calls from folks like Eric, I put my
entire life savings in cryptocurrency and ran it up to $500 or a million.
And I woke up this morning and it's empty.
What can I do?
And the unfortunate sad part is nothing.
So it's one of those with cyber.
It's prevention and detection.
And you need to go in and protect that.
And then so the last thing is if you have parents or grandparents,
they're one of the biggest targets because they have money, they have time, and this is not a negative,
but they didn't grow up with the technology. They're naive and they trust people. So if they go in
and get a message saying, hey, this is from your bank, and we're noticing unusual activity,
please click on the link, and they will, and they'll empty out their bank accounts. To me,
one of the movies that everybody needs to watch, the action is a little questionable, but it's
great movie is called The Beekeeper with Jason Statham. It's an action flick, but the core message
in the movie is there's this wonderful 65-year-old lady. She's a mom. And I mean, she's just the sweetest,
kindest person. And she has her life savings of about 800K. And she's running a nonprofit to help
underprivileged children. And she raised $3 million to invest in a orphanage for these kids. And she
gets this scam message that says, hey, you've been hacked, please call us, we'll clean up your
system. And it's real. It's a fraud. And within 10 minutes, she gives away all her information.
They're super good, wipes out her entire life savings. And then because she's so distraught,
she takes her own life. And unfortunately, those things happen a lot where we see that with parents
and grandparents. And imagine if your parent or grandparent got hacked and they lost everything,
that would be devastating. And then the other big area that just, I don't even like talking about it
because it gets me so angry and frustrated. And you've seen recent stories with these extortion with kids
where these kids very successful. They're 17, 18. They're real good in sports. They have a scholarship.
They're accepted to a college. And somebody hacks or does cyberbullying. And a lot of these kids can't
handle it. They don't know who to talk to. And we're seeing more and more.
more of these children taking their lives because they just can't handle that reputational damage.
So whether you have kids, whether it's you or whether you're parent, cybersecurity over the
next year is going to impact your life. So if you don't start taking it seriously, and the good
news is, as we'll talk about, there's lots of easy, common sense things you can do. But it's one of
those things where every day when I wake up in the morning and throughout the day I'm getting calls
from family members, friends, or people that found me online with these devastating stories.
So it's one of those things to the listeners is it's going to happen to you.
So the more proactive and you can realize you're a target and cybersecurity is your
responsibility, you can save yourself headaches or devastating events happening to your family.
Wow.
One thing that I hear in your answer are a variety of different types of ways that you could get
attacked.
You mentioned ransomware.
You mentioned identity theft.
You mentioned a number of...
You mentioned fishing schemes.
Fishing schemes are very common, where they'll send you links or text messages.
Yeah, ransomware or what they call extortion, going in and stealing your identity, credit, bank hacking.
There's a whole range of attacks.
Can we go through what some of those attacks are?
What is bank hacking?
Can they literally access your bank account and take money from a bank account?
Yes.
A lot of people do not realize this, but most of your banks will allow you to do EFTs, electronic fund transfers, and most banks, depending on the size of your account, will let you take at least 50% in an EFT. So if you have 200K in your savings account, they can actually do an EFT for under 100, like 75 or 80K, and you do not get an alert. And all they need is your
account number and your password to be able to get in and do those types of attacks. And the reality
is you put your account number in a lot of different places. And one of the things that people don't
realize is like you pay with a check. Yeah, yeah, your bank account number is written at the bottom of the
check. Exactly. And those checks sometimes can easily be caught or accessible. And especially when you do
online purchases and you go in and put in your checking account number, like online billing a whole other
topic, but think of how many different locations from local municipalities to small little places
that have your bank information.
Right.
And then, so I get your bank account information, then I can go in and guess your passwords
because most people have probably had their account and passwords taken in attacks and available
on the dark web.
And there's actually dictionaries of common passwords that people use.
So if you're using dictionary names and numbers.
which most people have some sort of predictability around it,
those passwords are readily accessible.
So now I can go in, get your banking information,
get passwords information,
and depending on your security settings,
that can sometimes be enough to go in and do EFTs.
And then here's the problem.
If you don't have a learning turned on,
which is one of the things we'll talk to later in the show,
if you don't have that turned on,
most people don't check their bank accounts for multiple days.
And the way it works with the fraud-based systems
is you have 48 hours.
to report it because there's a 48-hour hold, and then they transfer the money, and it's too little
too late. So if you go check three or four days later, you're pretty much out of the money.
And the problem is, if it's because of your negligence, and that's a hard pill for people to swallow,
but if you had a weak password or you didn't protect the password or you didn't turn on the security
settings, most of the time, you're liable, not the bank. So you're actually out that money,
and that's sort of the same thing with cryptocurrency. So people don't realize this. And when we talk about
the security settings, people always like, oh, Eric, that's an inconvenience, like spending five
extra seconds logging in. But what I always tell people is, okay, five seconds is an inconvenience,
but having your entire bank savings or your identity stolen, you're going to be inconvenient for
nine months. So which inconvenience do you want? Do you want a five second or a nine months? So
people just don't think it's going to happen to them. And the reality is it's happening to
average people, folks that are business people, small business owners. So,
whether you're making 100K or 100 million, it's across the board. Nobody is spared from these attacks.
Why nine months? Just because if you go in and your identity is stolen or your bank account is wiped out,
if you look at the amount of effort, because you're going to have to submit forms,
you might have to get attorneys because some of these banks are getting hit so much, they can't pay out
or go in and give you the $90,000 back. So you have to sometimes fight them, do legal action,
put in new security measures, and then think about most people, if they lose 90,000,
that could impact their lives. They might have to sell their car or sell their house or apartment.
So when you look at... So you mean many months? Many months, yeah. So it's not a set number,
but I'm saying it negatively impacts you. If you look at the emotional impact, like your kids
going to college and you save the money to put them to college and now your child can't go to
college because your money's wiped out or now you have to get a loan and you have to work a second
job. So you look at emotional impact and impact on your family. And once again, it's, it could be
even more, but it's many, many months. And I find on average when you look at the emotional support,
the time, the energy, the effort that is usually somewhere between six to 12 months that it negatively
impacts you. So that's why I just use nine as an average. Right. Wow. So I think a lot of people
understand that cryptocurrency is the Wild West and there's a lack of regulation. And part of
the risk that you take if you decide to go into cryptocurrency is that lack of regulation,
that lack of rule of law protecting what you're doing.
But I think that most people, myself included, didn't know that or don't know that about bank
accounts because banks are one of the most highly regulated institutions in the United States.
Other than pharmaceuticals, right, or weaponry, there are very few industries that are
more highly regulated than banks and the financial institutions generally.
So I think a lot of people would be surprised to learn that even the money in a bank account can be that vulnerable.
Yeah.
The thing you have to remember is, you're right.
It is one of the highly regulated industries.
But the regulations are around protecting the bank if they get compromised.
So you go to your bank and it says, you mean, FDIC insured up to $300,000.
That's if the bank gets hacked.
Yeah, $250, I believe.
Or $250.
So if the bank gets hacked and the bank goes out of business, you're covered.
But what people don't realize is the regulation, and it's scary because the U.S. is one of the few countries in the world that doesn't have a unified law on security and privacy that protects citizens.
Most of the regulations out there are protecting the entity.
Like HIPAA protects hospitals.
It doesn't protect individuals.
The bank regulation protects the bank.
So if the bank goes bankrupt or out of business, you're protected.
But if you don't protect your password and somebody gets in and gets your user ID and password,
that doesn't protect you from the regulations.
You're liable, not the bank.
And that's where you have to be real careful there because, yeah, we think it's all the regulations,
but they're not protecting you.
They're protecting the institution.
In addition to bank vulnerabilities, can you go through some of the other ones that you described?
So you talked about ransomware, fishing, identity theft.
Fishing, I know, is a big one when it comes to closing a mortgage, buying a home.
So fishing is a technique of it's basically what we call social engineering, which is the most common method of exploitation where you're tricking or manipulating something to do something they normally wouldn't do. So common fishing techniques, I don't know if you've seen this, but it happens a lot. You get a text message that says you have unpaid tolls in Florida. Yeah. I get those messages all the time and I look at them and I'm like, I don't have a car. I live in Manhattan. I don't have a car. But I get messages almost probably two, three times a week,
telling me, I have unpaid tolls.
Yeah. And here's the thing you have to remember. The frequency in which you get them
is the frequency in which people are falling vulnerable to it. If they sent out that message
and nobody clicked and nobody replied, they'd stop. So when you're getting any of these like the
unpaid tolls or messages from Amazon or your bank or things like that and it's fraud because
you look at the messages or you look at the email and you're like, hey, this doesn't feel right.
the frequency in which you're receiving it is the frequency in which people are falling victim to it.
So just that Florida toll example, which is like $49, they have made over $3 million on that in six months.
And the problem that we have is we know who they are, we know where they're coming from,
but they're in countries that don't have extradition treaties and it's not against the law.
A lot of these attacks are coming from Russia and then people are surprised.
North Korea, Iran, that those are big scams because they're easy, they're simple, and we don't
have extradition treaties or laws. So the problem is law enforcement and cybersecurity professionals
like me, we know where they are, but we can't do anything. So that's why these attacks continue.
And then the other thing with fishing is, we see these all the time. You get a message that it
looks like it comes from Amazon, nothing against Amazon, just they're the biggest retailer.
and it says the recent order you just placed is on back order.
If you want to receive this item within the next 24 to 48 hours,
click on this link to reorder.
And you go, how do they know who ordered it?
Here's the reality.
Most people are ordering from Amazon.
So if I send it out at 9 in the morning and 3 o'clock,
the probability that at least 20 or 30% of the people have probably ordered an Amazon
is pretty high.
So once again, people think it came from Amazon.
they're not checking, they click on the link.
And then once again, stealing credit cards, stealing bank accounts, stealing money, stealing
information along those lines.
So that is by far the most common.
And what one of the tricks we'll talk about later is do not click on links under any circumstance.
And you're like, but Eric, how do you then do business?
Use the app.
So if I get a message from Amazon that says, hey, there's an order that has an issue,
I don't click on it, I delete it, I go to the app.
So you have to just train yourself on Google.
cyber hygiene, and then the other big attack, it's more business focus, but it happens with
individuals, is ransomware, where essentially they go in and it's usually done with a link
again, where you click on a link and it goes and encrypts your hard drive, or if you're at a company,
it goes to your database of all your clients and encrypts it. And then it basically pops up
a message saying, unless you pay X amount of money, you'll never see the information again.
And once again, these are big businesses.
One of the big one is there's a company in Russia company.
So it's an actual company called the cyber investment firm.
It is a company.
It's a building, a three-story building.
They have 700 employees.
These employees get benefits.
They get salaries.
They get days off in PTO.
They go into the office.
They have badges.
They have everything else.
And the entire business is going in and doing ransomware.
Wow.
And once again, because in countries like Russia and others, there's tied to government officials,
so it's not illegal, there's no extradition treaties.
So these are actually running as businesses that are targeting you and your family,
and they know what your price point is.
The average person that has all their family pictures, all their taxes, all their information
on their computer or laptop, if I encrypt it and say you'll never see the data again,
but if you pay $300, you'll get it back, is your picture?
is your life, is your tax returns worth $300? Absolutely. So most people will actually pay it,
and it's a sad state of affairs, but as security professionals, even law enforcement,
because there's nothing else we can do and the encryption is so good, we can't break it,
that we unfortunately tell people in most times it's actually better to pay the ransom
than to be out and lose all that information and all that data. And now companies,
they go in and know other price tags. I don't know if it came all,
way up to New York, but if you remember two years ago, the colonial pipeline, the biggest oil
pipeline for gasoline on the East Coast, our gas stations were closed for five days. We had no gas.
On Monday, when it happened, I went to get gas to fill up the car. It was a 30-minute wait at the gas
station. Wow.
And by Tuesday evening, every gas station was out of gas. So, like, people were panicking and no-
– Do you live in the D.C. area?
In the D.C. area in Virginia. And all these security professionals like, oh, they're not
going to pay the ransom, they're not going to pay the ransom. I was one of the few that broke the
story on they're going to pay the ransom because the reality is if they don't pay the ransom,
they're going to lose $30, $40 million in lost revenue. If they pay $5 million, they'll be up and
running within 12 hours. And sure enough, by Thursday, I was right, they paid the $5 million
ransom and gas was restored by the weekend. So these are the things with bigger companies. They
know the monetary loss and the pressure points. So the ransom,
demand is going to be low enough that it's actually easier to pay the ransom than suffer the
pain of having your systems down and unavailable.
Wow.
There's something that feels very mafia about that.
It's the cyber equivalent of someone coming to your store with a baseball bat and saying
would be a shame if anything happened.
Yep.
Right?
And you just nailed it because here's the reality that is really the hard part of why I sometimes
tell companies.
If you don't pay the ransom, you lose $30 million.
but if you pay the ransom, you get your information back.
But here's the problem.
If you pay the ransom once, you're in the frequent flyer list.
It's like New York in the 70s that they would come in, the mafia, and they'd be like,
if you don't pay protection services, then we're going to trash your store.
Right.
You don't believe that they trash your store.
So then you pay the whatever it is, a couple bucks.
But once you do it once, you're going to have to pay every single month nonstop.
So the same thing, if you pay the ransom,
And you don't then fix the problem and hire good security professionals, they're going to come back every quarter and hit you up going, hey, because we're such nice people, right, with such nice evil hackers, instead of $5 million, we're just going to charge you $100K every quarter.
So if you play $100K, we'll provide security protection, right?
It's all marketed as a business.
It's not evil.
It's like, we'll provide security protection and monitor your site, and we won't hit you with ransomware.
but if you don't pay, then you might have to get hit with ransomware every three to four months.
So it's actually a mafioso disguised as sort of being nice, legitimate services, but it's really not.
So it's one of those things you pay once, and if you don't fix the problem, you'll keep paying over and over again.
Wow.
And this happens to individuals as well, right?
Yes.
So the price tag is lower, but it happens to individuals.
But here's the problem is you or the average person gets hit with ransom.
somewhere at their home. It's $300. So unfortunately, if you try reporting it to the police,
it's a small amount that, yeah, they'll file a police report. They're not really going to do anything.
The FBI is not going to be concerned because it's under typically their limits, which is usually
$5,000 or $10,000. And the media doesn't care about $300. So nobody realizes how bad it's happening.
Nobody realizes that it's happening to people across America on a regular basis where they're paying anywhere from 100 to 300 because they know what your income is, so they know what you can afford.
So they tailor the ransom to that amount.
But because no one's socializing it, no one's talking about it, no one's bringing it up, people have no idea how bad it is.
But it is really a pandemic that's impacting a large number of people, but nobody's talking about it.
How are the types of cyber attacks that we're discussing right now, how are these similar to or distinct from scams, right?
So when I think about, for example, someone calling the grandparent scam, someone calling a grandparent and saying, hey, your grandson is in jail, you need to send money for bail, at least send the bail money to this address.
Is that a different classification of financial problem?
or is that, how are cybersecurity and financial scams related or different?
If you go back sort of four or five years ago, they were sort of different and then the
scams were very targeted on purely monetary.
And they were really phone driven where they'd call you up and say, hey, your son was arrested
or something happened.
You need to give us two or $300, mail it or EFT it.
But today, because of the technology and artificial intelligence and all those, they've really
sort of merged together.
where now they're almost one and the same,
and it's the same entities doing it.
So if you go in and think about,
it's really just a delivery mechanism.
So if I send you an email that says,
hey, I've been arrested,
or I don't know if you've seen this on social media,
where social media attacks will get compromised,
and then they'll text everybody in your following saying,
hey, I'm traveling to Puerto Rico or Mexico,
and the most unfortunate thing happened.
My wallet was stolen, my driver's license was stolen, my credit cards were stolen.
I am stuck and I have no way to get home.
Can you do me a favor and send me $500 to this account and I will pay you back when I get home?
But otherwise, you might never see me again because I have no way of getting home.
I have no money and no access to anything.
Now, most people, if you're nice and kind and it's legit, like if my friend legitimately had that issue, I'd send them the money in a second.
But so people get emotional about it.
They think it's important.
And they'll send it.
That message, I could call on the phone.
I could do it in social media.
I can do it in an email.
So it's really the same message of social engineering.
It's just done at different levels of delivery.
And sort of a funny story with that is one of my friends had his account hacked.
And he had like 500 people in his contact list.
And they sent out that scam.
And I'm talking to him.
And he's mad.
And I'm like, dude, how much did your friends lose?
He's like, nothing.
I'm like, why are you mad?
He's like, because none of my friends cared.
He goes, here I'm telling them that I'm stuck in a foreign country and not one of them
paid the amount.
And I'm like, dude, you're missing the point, right?
But it was funny how people emotionally rack going, nobody cared enough to actually
fall victim to the scam.
So it's sort of crazy.
And then you layer on, like you look at those scams where they call your parents and say,
hey, I've been arrested or the grandparents.
Right.
They used to just use a voice saying, hey, this is Officer Jones.
I just arrested your son and he's at bail for X amount.
But now with AI, they're actually mimicking your kid's voice.
So now because think of a lot of kids put videos out.
Your child puts a video out.
I have their voice.
I now can train an AI model to mimic their voice.
And now I can call their grandparent because guess what?
what, their grandparents are following them on social. So very easy for me to find the grandparent.
A lot of people list their contact information. So now I can call the grandparent with the actual
child's voice saying, hey, this is Erippa. And it sounds exactly like their voice. And now the
probability of people falling for it is much, much higher. Exactly. I actually had a conversation
with my parents about that because when AI first became ubiquitous, I became really nervous
about the fact that as a podcaster, we're at over 600 episodes. Yeah, there's a lot.
lot of your voice and video. Yeah, exactly. Exactly. Right. And each episode is a minimum of an hour,
sometimes an hour and a half or longer. There is probably a thousand hours of my voice in the
public domain. I'm incredibly easy to mimic. Yes. And so to the best of my knowledge,
that hasn't happened yet. But what does happen and what's frequently happened with me,
social media, I will have accounts that pretend to be me. There will be these, what's the word for
like a spoof account, right?
A spoof account that pretends to be me and that sends out messages to all of my followers.
And it's without exaggeration, there have probably been at least 150 spoof accounts that I'm aware of over the years.
And what is concerning to me is that on multiple occasions, there are people that I know, nobody I know closely but distant acquaintances who have genuinely believed that they've been having an exchange with.
with me. So one time I went to Greece and I was chatting with a friend of a friend and she started
bringing up this conversation that we had had on Instagram. And I was like, what are you talking about?
As it turned out, she'd been chatting with a spoof account believing that it was me and it was only
the fact that we happened to meet face to face in Greece that cleared the air. Otherwise,
she might have believed that forever. And you're a prime example is influencers.
or people that are on social media,
the more influential you get,
the bigger you target.
And I hate to say this because you're growing rapidly.
So unfortunately, it's going to happen
where somebody is going to start putting out videos with AI
that look like you,
but they're going to have discriminatory messages
or negative publicity trying to go in
and hurt your brand or hurt your reputation.
And then the other thing that you've been lucky so far,
because it sounds like you must have good security
on your prime account,
But the other scam is they set up all these bogus accounts for you, and then they take over your
prime account, and they say, unless you hire, and notice how they do it.
They don't say ransomware now, because that could be illegal, because some of the laws,
they go in and say, unless you hire us for security protection, right, the Mafiosa model,
and unless we hire you for security protection, you'll never get it back.
But guess what?
If you hire us and we do reputational improvement and monitoring, so it sounds really legit,
and we'll make sure this doesn't happen in the future.
And because you're such a great, wonderful person with such a great message, Paula,
we're going to go in and charge you $39 a month.
Now, once again, you don't like it.
But $39 a month to get your account back and to be able to talk to your audience
and not have it hijacked with bogus accounts is probably worth it.
then they'll go in and say, hey, for an upcharge of $29 a month, we'll remove all the bogus accounts.
So now when people search on your name, they only get your account and nobody else.
And once again, for most people, the discomfort is so hard that the money is worth it.
And they're now spending $60, $70 a month, so less than $1,000 a year on so-called fake cyber protection,
but to stop your account from being hacked
and stop the rogue accounts from being set up.
We get contacted by influences all the time
that are just like, I'm losing hundreds of thousands of dollars
because my account's been hijacked
and I can't communicate
and bogus accounts are putting out false information.
So now my user base is getting corrupt, frustrated, and biased
and I'm losing followers, I'm losing money.
How do I get it back?
And unfortunately, a lot of cases,
it's if you didn't prevent it in the first place, it's very hard to get it back after the fact.
And, you know, and one of my big fears is that someone will scam a fan of mine who will pay money believing that I have asked them to do so.
Yes.
So I know there's a guy who's in our space named Mr. Money Mustache, and he has publicly written about how someone spoofed his account, sent out messages to a bunch of his followers.
and one of his followers paid $1,500 for some quote-unquote investing course because they believed
that it was coming from him.
Because that person trusted him as the person, as the recipient of that trust, that is such a
responsibility, right?
So that's a huge, huge fear of mine.
I know that many of the spoof accounts that have pretended to be me have sent messages out
to my followers asking either talking about some quote-unquote investing course.
or asking if they invest in crypto over and over and over in my Instagram stories,
I will create videos of myself saying, hey, it's me, like, just to reaffirm, I will never,
ever, ever, ever, ever in my life, I'll never initiate a DM to anybody, you know?
B, I will never DM any one of my fans to ever ask for a sale of any sort, not even for
a course that I actually run, right?
Just never going to do that by DM.
But when I tell my audience that, I know that it's only a small fraction of them who are actually hearing that.
Right? And statistically speaking, the overwhelming majority of people are not going to hear those messages.
Yep. Exactly. And then this is a hard part is like with your friend, if somebody does that where they create a fraudulent account.
Yeah. And a lot of people don't understand it. So now they think you took $1,500 from them. So now the question is, what do you do? Do you tell them, well,
listen, that wasn't me and sort of stinks to be you. And then they're going to be annoyed at you
because they're going to think you rip them off. Or in a lot of cases, these folks, if they're making
enough, they'll actually be kind enough to refund the person or give them a free course or give them
something else. But then you have a financial impact because somebody else created fraud. So you're
on the right thing putting messages. But the other big thing is to really tell everyone, this is my only
account. I do not text from any other account. This is my only Instagram account. So if you're getting
messages from anybody else, don't click on it, don't go there, don't post it. Or the other thing is you
got to be a little tricky is you then hire somebody to go to all those bogus accounts. And when they
post articles or comments, you put a comment in basically saying, this is not me. This is a fraudulent
account. Don't click on it. And because most of them are run by bots and not humans, they don't catch
that. So then you can at least be proactive, but then here's the question, do you really want to spend
and should you be spending $15,000 or $20,000 on hiring a person to solely protect yourself
against trollers and cyber criminals out there? But unfortunately, as you grow as an influencer,
it's a necessary evil because there's people that are going to be targeting you. Yeah. I've seen it on
Instagram and Facebook so many times. I am not exaggerating when I say a minimum of 150 that I know of.
And I only know about it because one of my fans will contact me and say, hey, is this you or, hey,
this does, I think this is a fake account.
And my team can tell you.
Like, you know, we get that all the time.
You've been lucky because it sounds like you have really good security and they haven't been
able to hijack your primary account, but I can guarantee you they've tried.
Wow.
And you've just had good security, but a lot of them don't.
And I get called all the time from, and I won't mention some of the big names out there.
And they're like, Eric, my account's been.
taken over, what do I do?
Wow.
And there's not a whole lot we can do after the fact except pay to get it back and then we'll
really roll up really good security so it doesn't happen in the future.
Well, on that note, I'm going to hand you my phone.
Okay.
All right.
And so tell me, what am I doing wrong?
Here's my phone.
It's unlocked.
Go wild.
Okay.
So first thing you did wrong is hand me your phone.
Yeah.
You never ever want to give your phone to anybody else.
You never want to give it to a child.
You ever want to give it to a kid.
Like, I see parents in restaurants where they have younger kids and the kid is crying or screaming
and they hand them their phone.
Yeah.
Because kids just click anything.
Right.
Kids go on anything.
My family knows, not over my pocket, but nobody knows my passwords.
Nobody gets access to it.
Like this is like a body part.
Like you try to take this.
It's like cutting off my arm, right?
You are not getting access to my phone.
That's sort of the first thing is you want to control.
it. And then if we just go through, so first thing is way too many apps.
Yeah. So I'm guessing if I go in, I don't want to be too intrusive, but if I look at usage,
you probably have it. Feel free. Be intrusive. Yeah, you probably haven't. So you can actually
see what I'm doing. So I'm just going in and looking at your usage data. It looks like about
60% you haven't used in 45 days. So if you're not using those apps, you definitely want to go in
and turn that off.
And then one of the big things,
let me go in to find where your settings is.
So if we go under settings,
and then we go under your security,
and what I'm looking at there is the tracking of the data.
So to see if you have tracking for which apps,
so we'll put in your location.
See, one of the things you are doing good
is you have small print,
so for people like me that can't type,
you go in.
So I'm looking under location services.
Uh-huh.
Do you realize that you have all these different apps are tracking your location?
Wow.
So like Be Real, passing.
There's a compass that tracks your location, which if we go in and we look at the Compass
app, which my guess is, it's actually made in China.
So like you talk about TikTok as an issue.
So you actually have a Chinese company that's tracking your location because you have a
compass app on your phone. We then go in and Instagram's tracking your location,
Mighty's tracking location, PayPal, and like it's about 70 different apps. And the good news is
you're like most people. Yeah. And people don't realize one of the most dangerous things is free apps.
Because free isn't free because it basically means that whenever you download it,
they're putting on location and monitoring your camera on your device. So then if we go in and I also look
at access to your photos.
That's also similar.
So these are all the apps
that can actually access your camera
without you knowing about it.
Wow.
So there's a list of like,
how many is that?
So one, two, three, four, five, six, seven, eight, nine, ten, twenty.
It's about 35.
35.
There's 35 apps that whenever you use them,
they can technically turn on your camera
without you knowing about it.
And then the other one that always shocks people
because, oh, you're actually doing really good on microphone.
Wow. The other two, I'll maybe give you a C-minus, but for microphone, you'll get an A because you only have a few.
Ooh, look at that.
Yeah. But if you want to go in and be scared because this happens, one of the ones we always see is Chrome.
And if you do this where we start talking about, let's start talking about painkillers and medicine and IVprofen.
Ibuprofen, yes. Well, talk ibuprofen, alibi. Alive, naproxin, acetaminophen.
So you go into Chrome now.
And you type in HO and it will auto fill in how much ivyprofen to take.
Wow.
Because Siri's actually listening all the time.
Let me check that on your phone.
Yeah, you have Siri turned on.
So Siri's listening.
And that's what most people don't realize.
They're not recording what we're doing.
I'm like, how would Siri answer unless it's recording everything you're doing?
So those would be one thing.
The other big thing, let me check on your, I won't read your text messages.
your text has auto archive to the cloud, which means even if you delete a message or remove a message
from your phone, it's still on your device and it's still getting backed up to the cloud and we can
recover it. So we work on a lot of these, I don't like them because it's an evil part of society,
but these super high profile like Hollywood stars when they get divorced and there's hundreds of millions
at stake, we get involved and we can get their phone and we can find deleted messages of
inappropriate pictures, communications with people that they shouldn't be communicating with,
and other factors along those lines. So that would probably be, okay, personal hotspots turned off.
Good job on that. That's when we check. We look at Bluetooth. Actually, once again,
I'm impressed. Most people with Bluetooth, and I'm victim to this because I have so many devices,
actually have auto discovery. So you have about 30 or 40. You don't have auto discovery on, which is very
good. You only have a few devices there. So good job on the Bluetooth. But that's something users want
a check of how many different Bluetooth devices, because that's the scary thing, is a lot of people,
because they like convenience, they have auto-connect Bluetooth. So now, like, if you go to somebody's
house or location, I have what I call a play phone and a real phone. So a play phone is just so I
can mess with my friends, and I have auto-discovery. And I go to their house and I'm like, oh, I just
connected to your fridge, your thing, or I only do this with friends I really know. But most people
have smart thermostats in their house or smart ovens, smart fridges. So I'll go in with only people
I really know and they know what I do is I'll go in and all of a sudden they're like, why is it so hot
in here? You just start messing with the settings. I turn their thermostat up to 85 degrees or I want to make
sure I'm careful with this because we don't want to cause problems. All of a sudden I'll turn on
their oven or their stove and they're like, what's going on? And they just don't realize how open the different
technology is. Right. So I would say I could keep going, but those are probably some of the big things
that I always look at on people's phones.
This number of app, free apps, location services, tracking, pictures, camera.
I mean, those are really the big things you want to look at.
Microphone and Bluetooth also.
Right.
The other one I'll look at real quick.
Okay, once again, you're pretty good here.
I look at subscriptions.
Most people, they don't realize it, but they get these apps that are free.
Yeah.
But if you read the fine print, it says in 30 days, you'll be charged 1999.
and then they go in and they don't realize it,
but they have like almost $700 or $800 a year worth of subscriptions
that they're paying and they have no clue.
I watch my paid subscriptions like a hawk.
Yeah, I was going to say you're actually doing really,
you're actually sort of, I would say,
in the upper tier of people that have security aware
because most of the time the big gotchas,
you're actually doing really good here.
Yeah, I mean, you have the legitimate ones like Instagram,
chat GPT, those are pretty valid ones.
So you're actually doing pretty good on the subscription side.
So I would say overall, you're actually doing pretty good.
Oh, excellent.
Thank you.
Those are the big things for the users is number of apps, usage of apps, free apps, subscriptions,
then look at location services, look at camera, look at phone, and then look at those key areas,
and then also look at cloud backup and permanent delete for texting and others,
because the default settings are not secure.
and people don't realize this, but once you hit send-save or post, it lifts forever.
I didn't bring my forensic tools, but if I did a forensic analysis and I wouldn't do this
to you because it's personal, but I could pull up any deleted text messages, any deleted information
or pictures or anything like that. So people that are doing questionable things or texting
or stuff like that where they don't think it's there because they delete it, it's still there
and it can still be recovered.
Fifth Third Bank's commercial payments are fast and efficient.
But they're not just fast and efficient.
They're also powered by the latest in payments technology
built to evolve with your business.
Fifth Third Bank has the big bank muscle
to handle payments for businesses of any size.
But they also have the FinTech hustle
that got them named one of America's most innovative companies
by Fortune magazine.
That's what being a fifth third better is all about.
It's about not being just one thing, but many things for our customers.
Big Bank muscle, FinTech.
tech hustle. That's your commercial payments, a fifth-third better. The holidays are right around
the corner and if you're hosting, you're going to need to get prepared. Maybe you need bedding,
sheets, linens. Maybe you need serveware and cookware. And of course, holiday decor, all the stuff
to make your home a great place to host during the holidays, you can get up to 70% off during
Wayfair's Black Friday sale. Wayfair has can't miss Black Friday deals all month long. I use Wayfair
to get lots of storage type of items for my home. So I got tons of shelving that's in the
entryway, in the bathroom, very space saving. I have a daybed from them that's multi-purpose.
You can use it as a couch, but you can sleep on it as a bed. It's got shelving. It's got drawers
underneath for storage. But you can get whatever it is you want. No matter your style, no matter
your budget. Wayfair has something for everyone. Plus they have a loyalty program, 5% back on every
item across Wayfair's family of brands. Free shipping, members-only sales, and more. Terms apply.
Don't miss out on early Black Friday deals.
Head to Wayfair.com now to shop Wayfair's Black Friday deals for up to 70% off.
That's W-A-Y-F-A-I-R.com.
Sale ends December 7th.
This Giving Tuesday, Cam H is counting on your support.
Together, we can forge a better path for mental health by creating a future where Canadians can get the help they need, when they need it, no matter who or where they are.
From November 25th to December 2nd, your donation will be doubled.
That means every dollar goes twice as far to help build a future where no one's seeking help is left behind.
Donate today at camh.ca slash giving Tuesday.
How secure is WhatsApp?
I asked because I recently had a bunch of friends.
We were all talking on WhatsApp and everyone was like, you know what, let's move to signal.
And they're like, we don't trust Meta.
Meta owns WhatsApp.
And I was like, oh, I don't want to move to another.
Yes, I know.
I'm so burned out on various messaging platforms.
I don't want to adopt yet another one.
Yeah.
WhatsApp famed the claim is when you're traveling internationally,
you don't get text charges for normal text messaging.
Yeah, exactly.
So really...
Wi-Fi, yeah.
It's really the Wi-Fi texting ability, so you don't get charged.
So it's really much more popular internationally.
Because, like, in Europe, people...
travel across countries and their cell charges over there are so much more than the U.S.
So like most people in Europe are all about WhatsApp for texting because it saves them all
this money and sell charges and it's so much cheaper and valid. So it's really good for going
out of the country. Well, I should say I have a lot of international friends. Yeah. So so for international
friends, it's a very good tool. But the reality is, and there's a reason why it's out for free,
free isn't free. Because think about this. How? How?
in the world can meta run WhatsApp? It's a lot of servers. It costs them, I think the last numbers I saw
was about $55 million a year to run WhatsApp, and they're not charging you a penny. Right.
How can they do that? That's a bad business model, except think of all the data they get. Think of all
the information. So the good news is they're not tracking you specifically, because that actually
would be against the law, but they're tracking your behavior based on your profile. So they're
going in and saying, okay, we have all this communication about a female in New York City in this
age bracket and group, and they're building profiles so they can do target marketing for all their
other apps and all their other profiles. So yes, they are listening and monitoring. Now, they're
going in and filtering the data so they don't know it's you, but do you really want all your
communications monitor and attract? And that's really where signal comes in. Signal you have to get
verified contacts and it's point-to-point encryption. So nobody can read the messages. Now, I know
if you watch the news, Signal has sort of gotten a little negative press because of some of the
people in the White House, but that had nothing to do with Signal. That just had to do with bad
user hygiene. That's not a single issue. That's a user issue. And one of the things I always
jokingly say is you can have the best security and best encryption in the world, but no matter
what you do, you can't secure stupid. They're just doing silly. I'm not.
I'm not trying to insult anyone, but the stuff they did with Signal is just ridiculous and simple.
So if you and your friends are really concerned about security, like you're doing national secrets and things like that, then Signal is most secure.
I'll be honest with you with most of my friends and most of my communication, because I don't like a lot of apps, is we use WhatsApp just because I'm the same way.
I have international friends.
I travel internationally.
And to me, we're not having any top secret conversations that would get anybody arrested.
or any issues. So I sort of just accept the risk that they're doing general profiling on us,
but there's nothing specific that can actually be used against me. So it's one of those,
if you're aware and accept the risk, I would say it's okay. If you really start getting into
very confidential type discussions, like sometimes when we're working merger and acquisition
deals, because the SEC requires a security review. So if we're doing like high-end merger deals
or acquisitions, where we're going to China or Australia,
and we're negotiating a $300 million deal,
and I'm part of the advisory team,
we use signal for all of that.
Because like you use texting or WhatsApp or anything else,
they will be able to monitor and see your discussions.
And we actually had that where we had executives using standard texting and communication
while they're in China negotiating a $300 million deal.
And we go into the negotiations the first day,
and we're really close.
They're saying, hey, we want 350.
The Chinese company is saying 280.
And we're like, okay, we're super close.
So that evening, I didn't realize it, but the executives and vice president were starting
to text each other going, this is awesome because we would want as low as 200.
But if they're coming in at 280, let's just go at 285 and get the deal done.
They come in the next day into the boardroom.
I didn't know this happened, but I'm there with them.
and they go, okay, 285. And the Chinese company goes, 200. And they're like, what are you doing?
They're like, we know last night you discussed it, and you said you go as low as 200, so now it's 200 or we walk away.
And then they're sort of stuck. So people just don't realize how vulnerable these apps are.
And when you talk about corporate espionage and assets and intellectual property, it is very, very active in China, Russia, even Australia.
So you just got to be super careful of the type and level of communication.
And for super sensitive, you go signal for friendly communication, WhatsApp is acceptable.
You said signal is point to point encrypted.
And WhatsApp is end to end encrypted?
What is the difference?
Okay.
So WhatsApp, when I say end to end, it means from you to the meta server is encrypted.
But then they decrypt and then they re-encrypt to your friends.
And so they're seeing your communication.
With Signal, if I encrypt the data, signal at their servers don't decrypt it.
And then you decrypted at your point.
So point to point means we're the only ones that are seeing the data.
The servers are only seeing encrypted data.
As with META and others, the servers are seeing unencrypted data.
Oh, okay.
So with WhatsApp, there's really three parties involved, whereas with Signal, there's kind of two parties involved.
Exactly.
But the benefit of WhatsApp is if you're at a coffee shop or you're on a wireless network at a hotel or an airplane, anybody else can't sniff or see your communication.
So it is protected from local sniffing, but it's not protected from server level of tax.
Eric, you were the commissioner of cybersecurity for President Barack Obama.
Tell us about what happened when he wanted a smartphone.
So as you can imagine, presidents of the United States are people.
And they're really running a business, just a very large business.
the country, and they want to communicate. So you think it's simple, hey, you just go to the store
and you buy a smartphone. But the problem is, and what most people don't remember is, a
smartphone is a tracking device. So do we really want the president of the United States to be
able to be tracked anywhere he goes, any location, any spot in the White House? So we sort of have a
challenge where if the president says he wants a smartphone, you can't tell him no. You have to tell
him how to do it in a creative manner. So at the time, one of the most secure devices was actually
a Blackberry. So we actually went in and configured the Blackberry to connect to alternative cell towers.
So now if he was, say, in the Oval Office, it would actually show up that he was across the street
and vice versa. And then we also went in, which is a key aspect that I do with my phone with high
profile individuals, is when he's in the White House or other locations, you turn off cellular
and you connect to wireless, because wireless doesn't have the same accuracy of geolocation as cellular does.
So we basically went in and I gave him a device so he can still communicate and make phone calls,
but he couldn't be tracked or located or present any threats to himself or his family.
And turning off cellular and just going on wireless, I mean, what that makes me think of is
any time that staying in a hostel in Costa Rica, right?
That's exactly what I do just because I don't want to replace my SIM card.
So it's funny to hear that high-profile individuals do that as well.
The trick, though, and this is the magical trick, you have to use something called a VPN
or a virtual private network that actually not only encrypts your data, but also masks your location.
I always joke, if you're bored and you just want to have a good time in Vegas,
don't go to the clubs, just go in and turn on a wireless sniffer because it's technically
legal at a big hotel in Vegas.
and most people don't realize text messages and pictures are sent plain text over the wire.
So you can get some very interesting and unusual and, let's say, spicy information from individuals,
and they don't realize that.
So if you're going to be texting over wireless at hotels or coffee shops or anything else,
it's super simple.
You just go to the app store and put in VPN, virtual private network, and there's free apps,
commercial apps.
And then not only is the data encrypted, but you can master.
your location. So now it's even better. So for example, with Barack Obama, we set up his VPN that it can look
like he's in Chicago or Nebraska or the location. So now if somebody's actually tracking his device and
his IP address, he shows up in an alternative location than where he's really located. So it also
provides a level of obfuscation in terms of tracking and monitoring. I mean, VPNs have been around
for so long that I feel like don't understand exactly how, but there seem to, the powers that
be seem to understand when you're using a VPN, I say that from the perspective of someone who
will sometimes try, I'll be in a foreign country, I'll use a VPN to try to access HBO Max,
right, to make it look as though I'm in the United States. And I still get the message that says,
sorry, this is not available in your area.
Yeah, so what's happening there is direct VPNs where you're actually basically just encrypting
to the local ISP in that country.
So in those cases, you're still going to be blocked
because you're showing up as a foreign IP address.
But if you get some of the commercial VPN products,
you can actually change your location.
So it can actually tunnel to a location in New York.
So for example, when I'm in some countries like Saudi Arabia,
which are very restrictive,
like they're super restrictive on what you can do.
But if I go in and have my commercial VPN set up to New York,
then I can still access U.S. sites.
in English as opposed to if I go to Google in Saudi Arabia without the VPN, it's all in Saudi Arabia.
I can't read it.
So if I go in and change my location, but that's one of the key things we're going to talk about a lot
today is these products have great security, but it's turned off.
So you need to know to go in and reset the settings.
So like if you're using a standard VPN, it'll still be in country.
But if you go under settings, security, and location, and you change your location, then you can
actually appear in the U.S. and bypass those filtering.
controls. We talked about WhatsApp and we talked about Signal. What about TikTok? Is TikTok
Chinese spyware? If you download TikTok, does that mean that the Chinese government could
subpoena the company that owns TikTok to get access to your photos? Are we at risk if we have
TikTok on our phones? Or is that all just a bunch of hype? So yes, no, maybe. And I'll just go and take you back
to sort of a story to lay the context, because I think it's important. So in 2000, I'm part of
different government task force. I think if you read my bio, I worked at the CIA as a professional
hacker. So I'm often brought in on these scenarios. And so in 2000, I was part of a unclassified
task force, so I can talk about it. And they said, okay, Eric, if you were China and you wanted to
launch a cyber attack against the U.S., how would you do it? And I went in and researched,
and everything else, and I came back with my report,
and what I basically said in the report is,
I would create an app that's targeted at 16 to 20-year-olds
in the United States, because they're the future generation,
and I would make this the coolest app on the planet.
I would make it like social media on steroids,
so you can actually do pictures, text, video, interact,
and make it so much better than anything that's available at the time,
and then I would market the heck out of it to get everybody hooked on it,
and then we would monitor and track all their activity for eight to 10 years.
And once again, as far as I know, it wasn't publicly published.
Then you look at TikTok, and I took out the paper, it was almost an exact blueprint,
where TikTok is an application focused on 16 to 20, now adults are using it too,
and it's monitoring and tracking everything we're doing.
And here's the reality.
all of that data on our activities, our behavior, and everything else is stored on Chinese servers
that the Chinese government does have access to. So when I said yes, no, maybe, it is an active malware.
So like one of the mistakes that Congress has made where they're like, it's spyware, where it's
gathering and blah, blah, no, no, no. It doesn't install anything on your computer. We've reverse
engineered to TikTok agents. It doesn't put any malware on your system. So it's, it's a
It's not locally monitoring or tracking, but here's the reality.
TikTok turns on location services, so you're allowing it to track your location with your data
and information.
So now if you're voluntarily putting information on TikTok about your behavior, your activity,
your videos and everything else, and they're monitoring it, that's not technically spyware.
That's user cooperation.
So everything you post, every way you go, everything you do, now good on you because you did not
have location services turned on for TikTok. So gold star, but most people do. Most people,
if I look at their phone, they absolutely do. So we're giving all this information to TikTok,
which is a company that's run in China and tightly connected to the People's Republic.
So they're monitoring and tracking. I think TikTok's been in business eight or nine years.
The eight years of data of U.S. people that are stored on Chinese servers, we're not talking about
that. That's going to stay in China and they're going to be able to have
that for the next 20 or 30 years. So they already have predictive analysis on U.S. citizens,
how we work and how we operate. In the worst case scenario, that data could be used for blackmail.
We talked earlier about ransomware. Yes. It can be used not only for blackmail and ransomware.
It can also be used for target marketing. It could also be used for tracking and espionage purposes.
So, for example, if I see somebody on TikTok and a lot of people say where they work,
and they work at, say, IBM or a large research entity that's doing high-end chip design or high-end
technology.
China can do that and now use that to go in and do target fishing attacks to break into
their systems or servers to be able to steal large amounts of intellectual property from the
systems.
Or you look at what happened with Aldrich Ames at the CIA.
He was one of the people that was converted by Russia.
What they basically did is the way they converted.
Aldra James is they basically got blackmail data on him and said, unless you steal information
for us, we're going to ruin your life. Well, guess what? A lot of people are posting some
questionable things or areas on TikTok that they don't think anyone else is seeing. Well,
what if they get access to that and they can do the same thing saying, unless you spy for us,
we're going to use that against you. So there's so many different avenues that an advanced technology
company like China could use to target Americans. The list is so long, it gets scary.
To take this conversation back to money, there are, as you've elaborated on throughout this conversation, there are so many nefarious things that entities can do with our data.
But as ordinary individuals, as investors, one of our chief concerns is protecting the net worth that we've worked so hard to build.
The portfolio balance, the income, the legacy that we want to pass on.
Can you share some examples of times when it's gone wrong?
Absolutely.
One of the biggest areas that we see all the time.
and I know I've seen a lot of your episodes
and you're very big on real estate.
Real estate's a great investment.
And I know you have many properties.
I have a lot of properties.
And we go in and we buy real estate.
Well, very often, we're going to go in
and get mortgages or closing
or we're going to even pay cash.
And we're using a reputable bank.
So I'm using a really good bank
and we're like, okay, the bank's secure.
But what we fail to realize is
a lot of these closing companies
and a lot of these smaller entities
that get involved,
are small businesses, they don't have really good security, and they can often be hacked or spoofed.
So I see it all the time, but I'll give a specific example.
It's a family that was in Ohio.
Yeah.
And, I mean, they were doing okay, but they were two school teachers, and they always dreamed
of going in and having a farm.
Like, they just wanted to have a nice farm, like a nice farmhouse and tractors and things like
that.
And one of their parents, they were the only child, and their parents,
actually did pretty good investment and had good amount of money, and the dad passed away a
couple years, and then the mom passed away, and they inherited $1.3 million. The farm they wanted
was 1.2. Their dream is going to come true. They go to the bank, and they don't really need a loan
because they're going to pay cash for it, and they get everything arranged, and they get the closing
company. They put an offer on the farm. It gets approved. They're going to close in 45 days,
and five days before closing, they get the message that they're expecting from the closing company
that basically says here's the account information that you need to transfer the money to
in order to go in and buy the house.
Their real estate broker said you're going to be getting the message three to five days.
It was on the legitimate letterhead.
The email looked okay.
It came from one of the brokers there.
And so they said, great.
So they go to the bank.
they do the EFT, they transfer it to that account, and then they show up at closing, and they're all
excited and happy, and the other side goes, do you have a check? And they go, what do you mean? Well,
how are you going to pay for the house? You said you offered to sell $1.2 million. And they're looking
to each other going, we transferred the money according to the closing company to your account five
days ago. And they go, we didn't send any email. And it turns out it was a scam. And we got involved
because there was sort of lawsuits of who's liable in this case. And the email for any average person
look legitimate. It looked valid. It had all the proper authentication methods. And it turned out
that the closing company servers were hacked and they were sending emails out to select individuals
that were cash-based deals.
Because here's the reality.
There's very few cash-based deals.
So if you're going in and you get a loan
and you're only putting $80,000 down,
an attacker doesn't want that.
So they broke into those servers for three months
and they were waiting for a big cash deal.
And once they saw this $1.2 million cash deal,
they then targeted them only.
And because it was only a one and done,
nobody knew about it.
And because there was a reason why they did,
five days. Remember I said earlier? You typically have 48 to 72 hours. You have two to three days.
Right. So by doing five days, the money was gone. And now the question is, who's liable?
Right. The banks were saying that they weren't. The closing company was like, well, you clicked on the link.
That's your fault. And we're saying, well, no, you didn't have proper security. And you were compromised for
three months. So it's your fault. And then it gets into legal litigation. But here's the part that's
heartbreaking. They lost the farm.
and it's being fought in the courts, and it's been a year and a half because civil cases in the courts
are so backlogged. And if you don't know the court system, criminal cases take precedence. And because
the courts were so backlogged because of COVID, if you file a civil case today and individual,
it could take two to three years to get through the courts. And then even if you get a successful
verdict from the jury, they could be appealed. So this couple might not see their money for
three to four years, they're heartbroken, right? They lost their farm, and now they're spending a lot of
the money on legal costs to try to get that money back. And unfortunately, this is not isolated story.
Like, we see these types of instances all the time with large amounts, and you're like, well,
what could you do? So a couple of things. One is, if you're buying any real estate or any large
purchase, don't trust email. So what we do with all of our purchases,
is I go in and I call the actual closing company and say, is this legit?
Like, did you actually send this email?
And then what we'll actually do is, and I know people say it's crazy and it's old school,
but I still go to a bank and get certified checks.
Because me bringing in a physical piece of paper, sitting in the room with somebody
who's bought their driver's license ID with a notary public, and having witnesses in the
room that I handed them to check, is a much safer and better.
mechanism than trusting online. So even though I'm a cyber guy, I'm an internet guy, a futuristic,
I don't trust a lot of those traditional systems. So when I'm buying my real estate or I'm doing my
investments, it's all paper checks that I'm bringing with me that's assigned to the person
certified so it's valid and they'll do it. And then I hand that over or whenever I do mortgages,
I actually make the mortgage broker come to my house or I go to a bank. We don't communicate
email. I tell them that when I'm buying real estate or I'm doing any large purchases, we talk phone
or in person. We do not use email. We do not use communication. I do not use websites because they can be
so easily spoofed and modified. I know it's convenient. I know we like it, but sometimes going old
school face-to-face paper checks and phone is going to be so much better and safer.
Right. The last house that I bought I paid in cash, I remember getting the email with the wire
instructions and being so scared. Instead of relying on what was in the email, I went to the
entity's website, looked up the phone number on the website, called that phone number, and then
verified the information. But to your point, I mean, as I talk through that, the weakness in
that is that that website could have been spoofed. Exactly. Yeah. But at least credit to you,
you took an extra step. Unfortunately, most people are in tech savvy like you, and you would not believe
how many people trust that email and would just blindly transfer the money based on an email.
And, I mean, that's something if I thought of I could have done before our interview is,
I could have sent you an email from a closing company that you would have thought were legitimate.
And when you clicked on the link, it would have said Eric says hi.
We do that exercise with people all the time just to show how easy it is to spoof email
and how you look at these emails and you look at the legitimate email and the email I'll send you,
they look identical.
There's nothing that you can visibly tell.
So, I mean, the name of the game is for anything sensitive, anything involving money,
anything involving your life, no emails, no links, no clicking.
Right.
Oh, you should Rickroll people rather than the Eric says hi.
Yeah.
That would be a fun one.
That would be a fun one.
I like how you think.
We know you love the thought of a vacation to Europe.
But this time, why not look a little further to Dubai, a city that everyone talks about,
and has absolutely everything you could want from a vacation destination.
From world-class hotels, record-breaking skyscrapers, and epic desert adventures,
to museums that showcase the future, not just the past.
Choose from 14 flights per week between Canada and Dubai.
Book on emirates.ca.
Black Friday is here at IKEA, and the clock is ticking on savings you won't want to miss.
Join IKEA family for free today and unlock deals on every day.
free thing from holiday must-haves to cozy at-home essentials,
all the little and big things you need to make this season shine.
But don't wait. Like leftovers at midnight, our Black Friday offers won't last.
Shop now at IKEA.ca.ca.com.
Ikeh. Bring home to life.
It's week two of Canadian Tires' early Black Friday sale.
These prices won't go lower this year.
So you're lying on the floor?
Save up the 50% November 13th to 20th.
Conditions apply, details online.
So in terms of what we can do,
If you're buying real estate, go in person, on phone or in person. Ideally, in person,
meet at a bank, meet face-to-face at a bank for any type of transfer, use cashier's checks.
Don't click on links. That's no particular order, number two.
The other thing I'd add is sort of a 1A or a 1B is if you're investing in real estate,
use known trusted entities and always go in person. So like I know a lot of times if you buy in real estate,
the seller wants to pick a closing agent or pick sometimes at-estate entities because they're a little
cheaper, they get better deals. And I'm like, no, if I'm buying your real estate and I do a lot of
real estate investing, I'm using my trusted folks. So I have offices that are 15 minutes from my
house, closing companies, and loan agents and attorneys that I know and trust. And I'm like,
we use these are no deal. And I know them, I trust them, and I go to their office all the time.
So if you're doing a large amount of real estate, get some known.
trusted entities and always meet in person. Don't get me wrong. There's some really good small one-offs.
And if you're buying a house once on a big mortgage, that's okay. But if you're doing cash deals,
real estate, trust and control who the people are that you're working with.
Right. But what happens if one of your trusted entities gets, if their servers get hacked?
So I'm in person. So the chances of me getting rogue emails or anything like that are super
slim. Right. But if they get hacked, they don't have any of my money or anything else. I'm bringing
the money in a check. So even if they get hacked and they try spoofing me or they get some details
on the property or they try sending me EFT, none of that matters. And because they're not ever
touching my money, the money goes from my hand to the seller's hand. So when I bring that check,
I have my fingerprints on it and I'm not handing it to anybody else, but the person's selling the
house. And I'm having that monitored and tracked. And sometimes if they allow it in big deals,
I actually have a video because I want to have proof that they got the check.
So now if they lose the check or they say something happened, I have actual evidence to show
that I handed them and paid the money.
And I know people are like, you're paranoid.
I'm paranoid.
I'm crazy.
I'm insane.
But guess what?
I'm safe.
I'm secure.
And my money's protected.
So sometimes online, it's so wild, wild west that having a little sense of paranoia and a little
craziness and a little sort of over the top being paranoid is going to go a long, long way to
protect yourself. Right. What would you do? So if you're buying out of state real estate,
you say you say you want that check to go to the seller. If the seller is out of state,
the piece of real estate is out of state, your closing agent can be local, right? What video are
you taking? Who are you handing that check to? So in that case is if you're actually doing
pure out of state where you're not actually meeting with them, whoever they're local
representative is, then I will go in and hand them to check or in some cases where that's not
practical, because unfortunately there are some real estate deals. Like we do some hondos and some
renovations and it's all done online. In those cases, I will then have a Zoom video call that I
record where on the call they authenticate and verify who they are. So they're going to show me their
driver's license. I'm going to show their driver's license. We're going to verify and validate. And
they're going to tell me their banking information on the call, recorded with evidence and validation,
and then I will wire to that bank, but I'm getting the validation directly from them.
It's as if it's face-to-face.
That's what's great with Zoom.
Technology is it's like a face-to-face meeting and you can record Zoom.
And here's the cool part.
It's a social thing, but it's bizarre.
If we're in a conference room meeting personal and I want a video it, it freaks people out.
Right.
It really bugs them out.
Like, this is the weirdest thing on the planet of you videoing me.
It freaks people out.
But Zoom is so common.
Right.
Recording a Zoom call doesn't freak people out.
So in some cases, if they don't want to meet face-to-face or they won't agree to video,
I'll jump on a Zoom and record it.
And it's much safer and protected.
You now have evidence.
I get the banking from them.
I never trust email.
And then we do EFT as bank-to-bank.
That makes a lot of sense.
And it's one of those where, like, people like, okay, Eric, that's a little.
that's a little more inconvenient. It takes a little more time. But as I said before, is wouldn't you rather take 10 extra minutes on a Zoom call recorded than lose a million dollars?
Right. Yeah. And then to your other question, so what else can we do? Because I sort of hijacked it. So here's my rules. First, every account from e-commerce to banking to health care, you have to use two-factor. Like passwords, I joke. Passwords are so 1980. If you're going to use passwords, you might as well listen to the BGs and wear bell bottom pay.
It's so out of sync is you got to turn on two-factor authentication.
And then this is one of the things I hinted at, but we're now getting to this part.
We're talking about solutions is every type of service I know of, from Amazon to AWS to
Instagram to banks to healthcare.
They all have two-factor, but it's turned off by default.
because we're at this interesting stage where they don't think the public is fully acceptance.
And if they turn on too many security and it inconvenience people, people won't use their service.
So I think we're getting close.
I'm lobbying.
I go to these companies.
I brief their boards.
And we're very close to having security turned on.
But right now it's not, it's super easy.
Go into your account, under settings, under security, under authentication, and just turn on two factors.
It's either 2FA or MFA, two factor, multi-factor.
most people know what that is. It's where you log in with a username password and then you get
texted at one-time code that you log in each time. Now I know people go it's an inconvenience.
So here's the middle ground is once you two-factor, you can have it remember your device
and it will actually remember your IP address and place a cookie, which is a unique cryptographic
string on your computer. So now whenever you're coming from that location, you don't have to two-factor.
You can just log in with a password.
And now when you travel, like you go to a new hotel, it's going to say this is a new location
and you two-factor again.
I was just in San Diego for 10 days for a trial.
I logged in the first day, it asked for two-factor, but then it remembered my location
and IP address, and I don't have to do it for the rest of the trip.
So there is a balance there, but you can't trust passwords.
Right.
Almost all of the bank money transfers and all of the crypto wallets that have been stolen, I would
would say 95% of them were passwords only. Very few are two-factor. Two-factors really hard to spoof.
I mean, there's advanced attacks where they can take over your cell, but it's so hard and difficult.
It's almost all passwords. So if you turn on two-factor, that's going to go a long way. Second,
anything sensitive or involving money, put on account notification. So with my banks,
if anyone's withdrawing money, EFTing, or even deposits, I get a text notification that basically
says somebody's trying to EFT $35,000 out of your account. Is this authorized yes or no? And if I'm
doing the transfer, I know I'm doing it. So I have my phone ready and you have five minutes to reply.
So basically I get the text message and I reply yes in five minutes. Now if it's fraudulent and it's
the middle of the night and somebody does it, I don't see it till the morning. But guess what? Five minutes
times out and it automatically declines it. So now, and I know once again, people like Eric, that's
annoying to get text messages all the time. But as I always say, you know what's annoying to wake up in the
morning and have your bank account wiped out. So it's one of those, you're going to have a little bit of
pain. You're going to have a little bit of inconvenience. I'd rather the extra security and not having
any fraud committed. So account notification is another great mechanism. The next thing which we talked
about is, if in doubt, buy the app, don't do free. Like when I go in, if there's a free version and a
999 version, I always pay because the paid version doesn't monitor your location camera or microphone
and free always does. So minimize free applications. Then my rule is any app you haven't used in 45
days, delete, get off the phone. And I actually do the 10 app challenge. For an entire month,
you only use 10 apps. Be really selective on the apps and use only 10 apps and then try to remove or get
rid of because any free app that's on your phone is a point of exploitation. So you really want to
reduce those apps. Then as we talked about, don't click on links. Use apps. So if I get an email that says,
hey, there's unusual activity with your bank or, hey, your Amazon order's been discredited, I immediately
go into the app and I check the app. Apps are safe. Email is not. So don't trust email,
don't use links, always use the apps.
And then the last one, which is sort of a little bit of a curvewall for most people,
is most of the attacks and most of the exploits are written for Windows.
Not that Windows is more vulnerable, but Windows is one of the most popular operating systems on the planet.
So most of these exploits where you click on links so you get hacked are all Windows-based exploits.
So I basically, if you look in my little backpack, I only use an iPad.
Because most of the exploits, most of the links, most of the compromises,
won't work on an iPad. So when I surf the web, when I check email, I basically only travel with
iPads because not that they're more secure, but they are simpler and less targeted. So the
probability of compromise is a lot less. Wait, so I'm hearing two different things in there. One is
the Windows versus Mac. The other is laptop versus iPad. Right. So Windows versus Mac, if you're
talking about a full MacBook, are about the same. Yeah. So the Mac OS, the full Mac OS, and the Windows
OS are both vulnerable. So those, be careful. Like when you're using those, no links, minimize web surfing,
minimize email because they're highly targeted and there's lots of vulnerabilities. Then an iPad,
which is actually a completely different operating system than the Mac OS, it's much simpler.
Right. The iPad has very few attacks. So I use the iPad for email and web surfing.
So when I work on client reports, I'm doing large data processing, I use my window system. But
When I check email or I surf the web, I always use my iPad because it's a much simpler device
and less probability of compromise.
Oh, that's interesting.
So I could shift to only using my Mac for when I'm doing audio recording, when I'm doing
video editing, things like that, but then shift to an iPad for banking, using Google spreadsheets.
Exactly.
Email, web surfing, all that stuff.
Exactly.
That really basic stuff.
and then get rid of most of the apps on there.
Bingo.
Wow.
All right, I've got my homework cut out for me.
Yeah.
Just to tie it all together, basically most people, in my opinion, should have three devices.
So you have your Windows or Mac for your power user, like for doing video recording, video editing, working on large client deliverables, all that kind of stuff.
Yeah, you have your desktop or laptop.
Exactly.
You then have your iPad, which is really going to be for your...
email, your web surfing, sort of the more risky stuff. And then you have your phone that has most of
the apps for doing banking, healthcare, and others, but you don't have many apps. You only have
the most secure ones. And then you use that for like what's up, texting, signal, and then your phone
calls. That makes sense. Separation. Yeah. You have your sort of three critical devices.
Right. That makes sense. How do we protect our security when we're getting
rid of an old device. Shred it, burn it, explosive, no, pretty much if you're using like
Windows, phones and things like that, you want to secure wipe it. So like if you go to the Apple
store and you're getting a new phone and you transfer everything over to your, a new phone,
and then you go into the old phone and you say delete and it securely deletes it, that's actually
really good. Like they have good encryption, good white.
on it and it removes everything. If you're super paranoid like me, I don't ever trade in old devices.
I keep them, I lock them in a safe, or there are companies that will physically destroy them.
Like, they will come and like some of my real old, I got to the point where I had like 10 phones
and I didn't have room in my safe anymore to keep all of them. So there's actually companies,
and it sounds crazy, the companies will come and you go to their truck and they actually have this
tub and they actually acid bath it and it basically eats the phone. So the phone is destroyed
completely. And I know that's paranoid. What a cool job. Yeah. But here's the thing. My stock
information in my bank, there's millions upon millions of dollars on there that spending $50 to
destroy it is so much safer than even though the encryption destruction is secure, I'm super
paranoid. And then with like laptops or MacBooks, what you want to do is remove the hard drives.
Because you're not going to, these are small things. You're not going to asset about the whole
laptop. Plus, it's not really good because of all the electronics and glass. So you actually
want to remove the hard drives and physically destroy them if it's super sensitive.
Now, for some of your listeners, they're like, okay, Eric is off his rocker and nuts.
So for those that don't want to do acid baths, right, other devices, there are secure delete
programs that you can actually go in and will encrypt your entire drive five times.
And the probability of recovery is almost nil.
So if you want to go in and use the secure delete programs like an Apple phones, that's good
for the average user.
If it's super sensitive millions worth of dollars of investments, go in and do the physical
destruction.
Biometric data.
When we give access to our biometrics to, let's say, something like clear, are we,
how safe is that?
Is that something that you would do?
So you asked the right question, which is what I do it.
Right.
So here's how I make security decisions.
And here's how I recommend people making security decisions.
It's never yes or no.
It's two questions.
First, what is the value and benefit?
Yeah.
First, what is the risk and exposure?
And then if the value and benefit is worth the risk, I do it.
So to answer your question, I use Clear.
Because here's the reality.
What Clear does is it has my,
biometric data, but it has a small sample set that's unique to clear. So if you look at facial
recognition and not to geek out on you too much, there's actually around 80,000 different unique
points about your face, which I know is crazy if you look at a mirror going, there's 80,000,
but there's 80,000 unique features. You only need 4,000 to get an accurate reading. And one of the
reasons I use them and I research them is they don't go in and take all 80,000.
That would be dangerous.
They only take 4,000.
So now, even if somebody compromised clear and they only got 4,000, every other biometric
system you're using are using different data points.
So they wouldn't be able to replicate or steal your face.
It would only be a one-time usage.
Now, could somebody go into clear, get my biometric representation, make an actual mask,
and wear it in an airport and try to pretend me?
Yeah, but here's the thing.
The probability and difficulty is so hard to do that that I'm willing to accept that risk.
I travel all the time.
Getting through an airport 30 minutes quicker every time I travel, if you look at my billable rate,
that's well worth the risk of somebody potentially stealing a very limited subset of my mask.
So to me, the benefit outweighs the risk, and I use clear.
Right.
They might not make a mask and use it to try to get through an airport, but could they make a mask
and use it to try to face ID into your phone?
No, because the phone use.
is a different 4,000. So everyone has a unique algorithm where they use different data points to get in.
And then, yeah, the phone, I use biometric data. I love it because it can unlock and so quick.
And everyone's like, oh, Eric, that's such a big risk. Because they're like, if somebody gets your face and get your phone, they can log in.
Well, here's my response back. If somebody has access to my face physically and they have my phone and they're forcing me, they probably have a gun to my head.
And guess what? I have bigger problems.
Because guess what?
If I didn't use biometric and I only used passwords and somebody has a gun to my head or a gun to my children's head, I'm giving them the information.
So it's one of those where sometimes security professionals get too crazy with the hypotheticals going, oh, I would never ever use biometrics because if somebody got this, this, and this, I'm like, yeah, but if you got in that situation, you have a bigger problem at that point.
Now, could somebody break into my house when I'm sleeping, try to go in and unlock my phone?
No one hears why your eyes have to be open.
And now they go, oh, Eric, what if somebody breaks into your house,
get you while you're sleeping, opened your eyelid and does it?
Once again, I have bigger problems at that point.
So you've got to be practical about it where, yeah, there's a risk,
but the probability is so low I'm willing to accept the risk.
Right.
What is, I have a friend who keeps talking about the UB key.
Can you explain what is that?
That's a device that you plug in to your phone or your computer.
that basically auto-authenticates you to allow you to go in.
So if you don't have the UB key, you can't access the device.
So it's basically like a key to your house.
Is something like that beneficial?
Is that something that you would recommend to the average Joe or Jane who's listening to this?
No.
Here's why.
Two reasons.
One, it's something for you to lose.
Think of how many times people forget things at home, forget their car keys.
I've had friends that use it and they go in and they're at the office or they go on a trip and they forget it at home.
And now their phone is bricked.
They can't access it.
And also to me, it's an additional point of failure.
And then here's the other reason why I don't recommend it for the average person.
Where are they going to keep their UBee key with their phone?
I noticed you have the little wallet on the back.
Yeah.
So guess what?
They keep their UBKK in the little wallet.
Well, that sort of defeats the purpose because now if you lose your phone or somebody gets your phone,
they're going to have the UB key.
So unless you have like really high-end security practices where you're going to have a separation
and you're going to have somebody with you that has the UB key that they can give you to plug in,
like national secrets, like I would recommend the Secretary of Defense do that because he always has a cadre of people with him.
So now he has his phone, somebody else.
And when he's going to transfer secrets about a war strike in Yemen, he gets the UB key and plugs it in.
And so for that type of very high-end information, I recommend it, but I don't use one because it's
just the risk factor of being locked out versus the benefit isn't worth it to me.
I have other security measures in place.
And that's probably one of the other things I want to recommend really quick, endpoint security.
Like EDR is called endpoint detection and response.
Companies like crowd strikes, sofos, McAfee, Symantec, you want to have the endpoint security
on every one of your devices.
So we said three devices.
You want endpoint security on your laptop, on your iPad, on your phone.
Most people do it on their laptop, but they don't do it on their phone and iPad.
Once again, it's $59 a year for three to five devices, and having extra level of protection
is going to help protect.
To me, spending $59 on an EDR for your device is much better than having a UBKK
where you have to remember it and plug it in each time.
And that's for Mac users as well.
Exactly. And pretty much every operating system has EDR endpoint security.
I remember in the days, in the old days, seemed as though that was primarily, well, I'm thinking
about Norton antivirus for Windows. It was only Windows, yeah. Right? Yeah. And Norton antivirus
was often so slow that I was like, this program itself is the virus. Yes. You know.
So 15 years ago, you're right, the endpoint was so terrible and it was so limited. People didn't
use it. Today, it's so much more optimized in advance. You wouldn't even know it's there unless there's a
problem. You mentioned that you have a safe. What else is in your safe? Or what should we all put in our
saves? I work on very high-profile litigation cases. I've had multiple billion dollar verdicts.
So when you're working on a $800 million lawsuit against a very large company and you have
access to their trade secrets or their source code that's worth hundreds of millions of dollars,
I'm under protective orders that if I don't protect that information and secure it,
that I could be liable. So I'm required in those cases with a PO to lock up any of that
sensitive data in the safe. So that's one of the first things I have a safe for is critical
client information and client data. I also, when I'm not traveling, I store my passports
in the safe. I also have my birth certificate and documents like that. Any investments,
like bonds and stocks, I keep in my safe. I'll also be a little
careful here because I don't want to be targeted, but I'm also a big believer in having cash on hand.
So I have not crazy amounts that somebody would want to break in, but I have a certain amount of
cash in that safe just for protection reasons. I then also backup my devices locally.
So my laptop, my phone, my iPad, I don't always trust the cloud. I have local backups every
month that I also keep that in my safe to be able to keep that protected. And then
I'll usually go in because my iPad, I use so much for business. I have a backup that's imaged
and replicated, so it has an exact duplicate copy of all the data, all the information, all the
apps. I keep that in my safe. And then the last thing that shocks people, but I believe in redundancy
and backup, is my passwords. I know everyone says don't write passwords down. I'm a practical security
practitioner. I write them down and I put it in the safe. Because now, if something does happen,
and I forget a password or something occurs and I need to get in or something happens to me.
And a family member needs to get in.
They also could have access to it.
So I don't keep that in my safe.
So those are usually the fundamental things.
And then my safe is not only fireproof.
That's very important because if there's a fire, you want to make sure that nothing burns inside of it.
And then I use a two-factor component is I use a combination and a biometric.
So now in order to get into my safe, you have to go in and have my biometrics and you have to know the combination.
So once again, for somebody to get in my safe, they pretty much have to have a gun to my head or a family member in order to get in or access it.
Right.
And then the last thing is you actually want to keep the safe in a non-discreet location.
Like you want to put it either sort of in a closet or in certain areas.
And once again, freak people out.
but I have a spot in my house where it looks like it's just a panel.
You know, how you have the grade for HVAC is it looks like a panel,
but it actually just has two spin crews and we open it up and the safe is back there.
So it's a little non-discreet and where I keep it.
And then last thing, because I'm always going to be honest with you.
And once again, I wasn't going to say it, but I always like being honest and complete.
I also keep a weapon, a sidearm in the safe.
I believe in weapons and sidearms, but I also believe there can be too many accidents.
and in a lot of cases, people have weapons for protection, and the criminal can use it against you.
So I believe in weapons, but I believe in securing them and keeping them safe, so I keep that in a safe too.
How large is you're safe?
Yes, it's about this high and then this wide.
And it actually, you see how paranoid is, it's actually a two cabinet.
So there's actually a cavity.
So there's two different.
So all of my business stuff for my clients, I keep in one portion of it, which is the bigger portion.
And then my personal items, which I know it sounds like.
a lot, but they're all pretty small. I keep in the bottom portion. So there's actually two different
combinations with two different biometrics. Thank you for sharing all of this with us. It
paints a real picture about what we need to do in order to protect our investments, our money.
I certainly have my list of homework assignments that have come from this. Where can people find
you if they'd like to learn more? You can find me online. I use Dr. Eric Cole, D-R-E-R-I-C-O-L-E for my
Instagram for my YouTube. I put a lot of videos out there. My personal website is Dr.
Eric Cole.org. My company website is secure-anchor.com. And I just want to really thank you for having
me on the show because my mission is to secure cyberspace and many people don't know the dangers.
So the fact that you have me here so I can share the message with your listeners, I really thank
you for doing that. Of course. Of course. Thank you for coming. And I think this is one of those topics that's
incredibly important, but often not talked about because it falls under the category of important
but not urgent.
Boom.
You know?
Until something happens, then it becomes urgent.
Exactly.
Exactly.
So it's just one of those things that lingering in the back of your mind, it's like creating
an estate plan, right?
Vingo.
Like lingering in the back of your mind, you're like, I really should probably be doing
something about this someday.
But there's never any triggering event that causes you to.
take it seriously, and then it only becomes a problem like getting flood insurance, right?
No one thinks about it until your house gets flooded.
Like alarms.
Right.
Nobody gets an alarm until you broken in, too.
And that's why I love you asking me about the stories, because we can make it real.
It's going to happen to you.
Be proactive, and you can minimize it from happening.
Exactly.
Well, thank you for spending this time with us.
My pleasure, and thank you for having me.
Thank you to Dr. Eric Cole, former CIA hacker, advisor to Bill Gates, and
former cybersecurity commissioner under President Obama.
What are three key takeaways that we got from this conversation?
Key takeaway number one, you may already be being robbed and you don't even know it,
because cybercriminals don't just target billionaires or big companies.
They figured out that it's easier to steal small amounts from millions of regular,
ordinary, everyday people because we don't have the same level of protection that billionaires
and big companies have. And so a lot of cybercriminals might be draining $20, $30, or $50 from your
accounts every month. A lot of people never check their statements carefully enough to be able to catch
that. And so over the span of years, this death by a thousand paper cuts approach can
ultimately cost you thousands or even tens of thousands of dollars. If I go in and steal $50
from everybody every month, most people won't notice it. Most people don't check.
their credit card statements. So if there was a $20, $30, $40, $50 deviation, they wouldn't notice it.
So we sort of call it the death by $1,000 cuts. So the reality is you could have money being drained
from your account that over years could be costing $20,000, but it's done so low and so little,
you don't even notice it. That is the first key takeaway. Key takeaway number two, your bank won't
save you. You're on your own. FDIC insurance does not protect you from cybercrime. There are
regulations, yes, but those regulations protect the bank if they get hacked, not you personally,
if you get hacked. So if criminals access your account using your own login credentials,
you're the one who's liable for the loss, not the bank. And if they have just your account
number and your password, they can transfer up to half your savings without triggering any alerts.
The thing you have to remember is, you're right, it is one of the highly regulated industries,
but the regulations are around protecting the bank if they get compromised.
So you go to your bank and it says, you mean, FDIC insured up to $300,000, that's if the bank
gets hacked.
Yeah, $250, I believe.
Or $250.
If the bank gets hacked and the bank goes out of business, you're covered.
But what people don't realize is the regulation and it's scary because the U.S. is one of
the few countries in the world that doesn't have a unified law.
on security and privacy that protects citizens.
Most of the regulations out there are protecting the entity.
Like HIPP protects hospitals.
It doesn't protect individuals.
The bank regulation protects the bank.
So if the bank goes bankrupt or out of business, you're protected.
But if you don't protect your password and somebody gets in and gets your user ID and password,
that doesn't protect you from the regulations.
You're liable not the bank.
This makes it all the more critical to have good,
security practices in place. That is key takeaway number two. Finally, key takeaway number three,
be particularly careful when you're making a real estate transaction because real estate deals have
become cybercriminals' favorite target. They break into the servers of closing companies and they
wait for months for the quote-unquote perfect victim, which is typically somebody who's making
a large cash purchase. And then just a few days before closing, they sent fake
wire instructions that look completely legitimate. Dr. Cole tells the story of two Ohio teachers
who lost to their entire $1.3 million inheritance, which was meant for their dream farm.
And it was all because they got an email that looked legit.
And it turns out it was a scam. We got involved because there was sort of lawsuits of who's
liable in this case. And the email for any average person look legitimate. It looked valid. It
look valid. It had all the proper authentication methods. And it turned out that the closing company
servers were hacked and they were sending emails out to select individuals that were cash-based
deals. Because here's the reality. There's very few cash-based deals. So if you're going in and you get a loan
and you're only putting $80,000 down, an attacker doesn't want that. So they broke into those
servers for three months and they were waiting for a big cash deal.
I actually know another person that this happened to as well. She's public about the story, so I'll say her name. Shannon Allen. She used to be a personal finance blogger back in the early days of personal finance blogging. She at the time wrote a blog on frugality, which is how we knew each other. She also fell victim to wire fraud during the closing of a real estate transaction. She lost $52,660 to wire fraud from scammers.
This happens to ordinary people.
It could happen to you.
It could happen to your friends.
I'm not trying to be alarmist, but ever since I heard Shannon's story,
I have developed a paranoia around wiring money during real estate transactions.
In fact, last year, I needed to send $100,000 to a closing attorney as part of a real estate deal.
The most reasonable thing to do would have been to send a wire.
I actually physically showed up in person at a bank branch and had a cashier's check made,
which I then went and hand delivered.
Even the people at the bank were like, you know you could just wire this.
And I'm like, I was thinking about Shannon Allen at the time.
I even told them about Shannon's story.
And I said, no, no, no, I'm insisting on doing this by cashier's check.
Now, of course, that's not always possible because many closings are out of town or out of state.
but there are still a variety of good practices that you can put into place to protect yourself from wire fraud and from scammers generally.
Not just in real estate transactions, but at all times, because you heard Dr. Cole talk about the fishing scams that are out there, the grandparent scams that are out there, people calling a grandparent and saying, hey, your grandson's in jail, you need to send bail money in jail on a DUI.
you need to send bail money to get them out.
You know, then grandma panics and sends over money.
Like this stuff happens all the time.
And you and your family and your friends don't have the protections that big institutions have,
which is why this matters so much.
We have a course on real estate investing.
It's called Your First Dental Property.
We're building a new lesson in that course on how to protect yourself from fraud,
how to protect yourself from wire fraud, how to protect yourself from scammers, how to protect yourself from
fishing attacks. So that new lesson will be ready by the time that we reopen the course for our next
cohort, because it's a cohort-based course that we open twice a year. We run a spring semester and a fall
semester. So that next lesson's going to be ready in time for the fall semester. But now more than ever
in the age of AI, this stuff matters. And when it comes to our money, I mean,
We can get caught up in like tweaking around the edges, you know, optimizing around the edges of our asset allocation.
And that part's fun because it's so full of possibility.
But it's, you know, in any sport you play offense and defense.
And the defense side, the protection side, the asset protection side, if you don't have a strong, strong defense in place, then all of the optimizing around the edges is meaningless if you don't have that strong defense in place.
So I encourage you to take the subject seriously.
Thank you for being part of the Afforder Community.
If you want to talk to other members of the community,
you can do so for free at Affordanything.com slash community.
It's a great place to hang out with like-minded people
and discuss whatever's on your mind.
Again, afford-anything.com slash community.
We have a newsletter. It's also free.
We elaborate sometimes on what we talk about on the show
and sometimes we talk about completely different things.
You can subscribe to it at Afford-anthing.com
newsletter. If you enjoyed today's episode, please do three things. First, share it with the people
in your life. Share it with your friends, your family, the wire transfer guy at the bank, the person
who makes your cashier's checks, the new guy in your signal chat. Share this with all the people
that you know. That's how you spread the message of F-E. Number two, open up your favorite
podcast playing app and make sure you've hit the follow button so that you don't miss any of our
amazing upcoming episodes and while you're there, please write a few words, tell us what you enjoy about
the show. Leave us up to a five-star review. If you're on Spotify, you can also leave a comment on the
episode, on the specific episode. We read every single one and love hearing from the community.
And number three, head to YouTube. YouTube.com slash afford anything. Subscribe to our channel,
hit the bell to get notifications, watch these interviews. It comes to life when you see it on a screen.
So join us on YouTube.
YouTube.com slash afford anything.
Thank you so much for being an afforder.
This is the Afford Anything podcast.
I'm Paula Pant, and I'll meet you in the next episode.