CyberWire Daily - Live from Orlando, it's Hacking Humans! [Hacking Humans]
Episode Date: February 27, 2025In this special live episode of Hacking Humans, recorded at ThreatLocker’s Zero Trust World 2025 conference in Orlando, Florida, Dave Bittner is joined by T-Minus host Maria Varmazis. Together, they... explore the latest in social engineering scams, phishing schemes, and cybercriminal exploits making headlines. Their guest, Seamus Lennon, ThreatLocker’s VP of Operations for EMEA, shares insights on Zero Trust security and the evolving threat landscape. Maria's story this week follows the IRS warning about a fake “Self Employment Tax Credit” scam on social media, urging taxpayers to ignore misinformation and consult professionals. Dave's got the story of the Better Business Bureau’s annual Scam Tracker report, revealing that online shopping scams continue to top the list for the fifth year, with phishing and employment scams remaining major threats, while fraudsters increasingly use AI and deepfake technology to deceive victims. Our catch of the day comes from Diesel in West Virginia, and features a scammer who tried to panic their target with a classic “We’ve frozen your account” scam—only to get hilariously mixed up with actual embryo freezing. Resources and links to stories: Better Business Bureau reveals top local scams of 2024 IRS warns taxpayers about misleading claims about non-existent “Self Employment Tax Credit;” promoters, social media peddling inaccurate eligibility suggestions BBB Scam Tracker Got a $1,400 rebate text from the IRS? It's a scam, Better Business Bureau warns. You can hear more from the T-Minus space daily show here. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@n2k.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hello everyone and welcome to N2K CyberWire's Hacking Humans podcast where each week we
look behind the social engineering scams, the phishing schemes and criminal exploits
that are making headlines
and taking a heavy toll on organizations around the world.
I'm Dave Bittner and joining me is my N2K colleague
and host of the T-minus Space Daily podcast,
Maria Bermasas.
Maria.
Hi, Dave.
Hi, Dave.
Hi.
Thank you.
We are recording this week's show
in front of a live audience
at Threatlocker Zero Trust World 2025 conference in Orlando, Florida.
Let's hear our live audience.
Thank you.
And our special guest today is Seamus Lennon. He is Threatlocker's VP of Operations for Europe.
Seamus, thank you for joining us.
Thank you very much. and the from our show's sponsor.
And now a few thoughts from our sponsors at ThreatLocker.
The tactics used by cyber criminals are becoming more and more advanced every day.
The shift from a default allow approach to a default deny is more critical than ever.
This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allow
listing and ring fencing as your back.
And we're back. Maria, we don't have any follow-up this week, so why don't you kick things off
for us? What do you have for us this week?
All right, so it's a shout out to Joe Kerrigan's Scammer Liturgical Calendar.
It is the most wonderful time of the year for tax scammers.
So I have two stories that I wanted to talk about today.
The first one is by Kate Gibson of CBS News Money Watch.
There is a tax text scam going around,
claiming that the IRS has a $1,400 refund, just for you,
actually, Sheamus.
All you need to do is click the link
to confirm your personal information
to get a checkmail directly to you.
Sounds fantastic, honestly.
So the scammers are clearly taking advantage
of some, how shall we say, politely tumbled
at the IRS currently,
but they are also latching on to news
that is valid in a way that you might have heard
that the IRS is actually sending $2.4 million
to about a million taxpayers, legitimately,
who are eligible for a pandemic era stimulus payment
but didn't receive them.
However, those payments are automatic.
You don't need to do anything to get those.
And also the IRS will always send a letter.
They will not text you.
So that is really, really important to remember.
You're not gonna get a text from the IRS.
That said, while the IRS will not text you,
I have a follow up, follow on story
from one of our listeners, Kaylee.
Kaylee is, like many of us, doing their taxes right now.
And Kaylee noticed that they're looking around at tax firms.
So these are the companies that will help you
file your taxes.
It can be hard when you're trying to figure out
who's gonna help you with your taxes,
who exactly you've reached out to,
and what marketing spiel you've signed up for.
And Kaylee got a text message saying that they had gotten
a tax refund that was expiring soon,
and apparently that they'd already agreed
to get text messages from this firm.
But Kaylee noted that they actually had never agreed
to any of this, they'd never signed up
for anything from this firm,
didn't recognize the company at all.
And the very first message from this kind of iffy company
was the firm promising a refund,
again, just click this link to get it,
and it wasn't actually a direct fish.
It was more fraud, like a pH fraud.
Ha ha.
This is, this tax firm is promising a refund
under a pandemic-related tax cut that doesn't exist.
It's called the self-employment tax credit
that the IRS goes through pains to mention does not exist.
But a lot of scammers are taking advantage
of misinformation about this on social media right now.
So people pay phony tax preparers, which there are many,
it doesn't cost much to spin up a website
and say, I'm a tax preparer.
And people pay these preparers for money that will never come.
So you're out of the money that you paid these preparers for.
And again, the $32,000 that you thought you were going to get from the IRS
is never going to appear.
And also they have your social security number.
So isn't that grand?
Wow. Wow.
I'm curious, Seamus, your comments on this.
I mean, when you think about this kind of scam coming into someone,
what are some of the red flags that come to mind for you?
Well, if I receive a text message from the IRS, I'm going to get really worried.
I bet you would.
I don't know, it's from Pay Tax and the United States.
But if I do, I'm going to get really, really worried.
But it is typical.
Like, they'll attach onto anything that's relevant in the time
that's relevant.
It's tax period.
Let's just hit everybody with tax.
And the thing is, most people won't fall for that.
But a lot of people do.
Like postal delivery.
I mean, how many people have received a text message
or an email to say, hey, we've got your package.
But you need to go on this link and pay the customs for it. We need to have an order then. a text message or an email to say, hey, we've got your package,
but you need to go on this link and pay the customs for it.
When you have an order then.
Now if you're an online shopper,
here's that question going, did I order something?
Did I order anything?
Easy to forget.
And that's the thing.
And that's how to dupe people very simply and very easy.
Very easy.
So I'm based in Ireland,
so we have the regulation commission
in Ireland for communication, is ComREG.
Now, they've actually introduced something new,
which is totally new in Ireland, which basically means,
as a business in Ireland, you must register your number
with ComREG.
If you do not register your number or caller ID,
or your SMS ID with Comrege,
every time you send out an email or a text message
or a voicemail to a user in Ireland,
it will come up as potentially fraudulent.
Straight away.
They're taking control.
So the amount of times any of their voicemails,
like the vision, I look at my phone, I see a number,
I don't answer it, look up the number,
it's a help and support site for, you know,
a telephone provider in orange.
They advertise the number online.
So with, you know, technology like voice mail repeat,
I can just phone a phone number, and I could be anybody.
But with the introduction of this now,
when they do that, it's flat straight away.
Now it's gonna say, like, 3,500 people get choked
every day in Ireland.
We're not a huge country, we're only 5,500.
3,500?
People.
That's adorable.
It is.
I'm not saying we're very people in Ireland.
No, no. We're just the only people in Ireland. No, no.
We're the only people in Ireland.
But it's a numbers game, right?
It is a numbers game.
It is a numbers game.
Yes.
Yeah, it also makes me think about how so many parts of the world, it seems, are ahead
of us here in the US when it comes to regulations tamping down on these things.
I know for me personally, every time I get what is obviously a
fraudulent phone call or text message or something, I think to myself, why is this still happening?
In the amount of technology we have, why are we still getting these things? It's maddening
that we aren't farther ahead. But it's interesting to hear that other nations are taking action.
And it's great that it's taken the control
out of Andrews' hands.
And that's essentially what it is.
Because, you know, they're not targeting intelligent people,
not targeting people that are aware of these things.
They target everybody.
Yeah.
Everybody.
So, you know, my 70 year old auntie takes up the phone.
Again, she's maybe older than package, maybe hasn't, very simple, very easy to be jilted.
Show of hands, how many people have gotten a fraudulent text message in the past month?
That's everybody.
This gentleman raised both of his hands. He has a work phone and a personal phone, so nobody's immune.
Alright, what else do you have Maria?
That was actually both of my stories
All right, terrific. Well, my story this week is more of a sort of a broad informational kind of thing
This is actually from the folks at ABC seven in Chicago one of the local affiliates there
And they did some reporting on the Better Business Bureau's
Report on the top local scams of 2024.
So the Better Business Bureau,
probably most of you are probably familiar with,
they're an organization that helps keep track
of businesses in your community.
They help take care of disputes
that people might have with local businesses.
One of the things they also do
is they have a cyber scam reporting line
and they keep track of the scams that are going on and they generate statistics.
In this case, they generated a report for 2024.
And I thought it'd be interesting to see
some of the top scams that they were tracking
from their perspective as folks who are keeping an eye
on the consumer retail side of things.
Let me start with a question.
So I'm gonna quiz the two of things. Let me start with a question. So I'm going to quiz the two of you.
What do you suppose the number one reported scam is for the
Better Business Bureau, for consumers?
Is it gift card related?
No.
No.
OK.
Seamus?
Is it refund related?
Maybe.
Oh, that's an interesting guess.
All right.
Yep.
It's actually online purchases.
So this is fake websites.
This is fraudulent transactions, situations where people believe that they have purchased
something online and it never shows up.
We're seeing a ton of situations,
especially on platforms like Facebook,
where someone will generate what looks like
a totally legitimate storefront,
sometimes offering impossible prices
on irresistible products
that are well-known name branded things,
and people shop around,
the bad guys pay to have these ads put in front of people
and you're minding your own business scrolling through and you see, oh, there's a kayak and I really want a kayak
and that's half the price of the kayak usually is.
You go through, looks like the legitimate website for the company who sells the kayak, 100%.
You put in your credit card information.
They send you an email that says,
good news, your kayak is on the way.
And of course, you're never gonna get the kayak.
There never was a kayak.
This fake store is just imitating
the actual retailer of the kayak.
And in most cases, you'd be out of luck there.
You could go back to your credit card company,
but these are rampant on platforms like Facebook.
Yeah, it costs pennies to do.
Yeah.
Exactly, fractions of pennies.
Yeah.
Right, absolutely.
I'm going to go through some of the other ones here.
Phishing, of course, is number two.
I'm sure everyone in this room is familiar with what phishing is.
Number three is employment scams.
So we've been seeing this in the headlines a lot,
particularly some of the stories coming out of places
like North Korea, where folks are either setting up
fake recruiting services, they're trying to get folks
who are looking for jobs, or there are folks
who are signing up for jobs fraudulently.
So people who are from places like North Korea
will apply for jobs here in the US,
sometimes get those jobs, let's say engineering jobs,
but the money's all being funneled back to North Korea,
which of course is illegal.
So we're seeing both of those.
In fact, just about a week or so ago,
there was a woman in, I believe in Midwest, who got arrested for having a laptop farm
that was facilitating fraud from North Korea. So the North Koreans were taking advantage of her
laptop farm to make it appear as though they were here in the United States when they were doing all
of their work from around the world. Coming in at number five, I'm sorry, I skipped number four.
Number four is debt collection.
So this is a really easy one.
You get a text message or a phone call, someone saying that you owe someone money.
One of the key components of this is it puts you in an emotional state.
Of course.
Right?
Yeah.
And that's what these scammers rely on.
They short circuit your brain's rational thinking.
Someone calls you up and they say,
you owe us money and if you don't pay us,
we're going to do something bad to you.
Bad things are gonna happen.
We're gonna ruin your credit.
Or, you know, all sorts of,
you could go to jail if you don't pay.
And of course it's all fake.
Number five is counterfeit products.
Number six are travel, vacation and timeshare scams.
Government agency imposters.
So this is one we touched on with the fake delivery schemes,
the postal service, that sort of thing, the IRS.
Yeah, these are big.
Sweepstakes and lottery prizes.
Number nine is tech support scams.
How many folks have seen a tech support scam?
Yeah, seems like these aren't as popular
as they used to be, but they're still out there.
Particularly, you see pop-ups of someone
who is running a browser and they don't have what I would call
a fundamental level of pop-up blocking
or ad filtering or you know,
the things that probably the folks in this room
would seem like basic but they don't have that
and so something pops up and it says
your computer is infected.
My favorite thing was years ago,
my elderly father had a hand-me-down MacBook Pro that
I'd given him and he called me over one day and said, Dave, the computer's broken, please
come over.
I'm sure there are many people in this room who have that relationship with their parents
as well.
So I go over to help him fix the computer and sure enough there's a pop-up on his Macintosh that says that his Windows operating system
is infected and said, Dad, I think we're okay here.
Dad's not dual-boxing?
No, okay.
Right?
No, Dad is not running a VM on his Mac.
I can assure you.
My father, obviously I love my father dearly, but he's one of those people who knows
what to do but not why he's doing it. So he will have a USB cable that he has a sticker
on that says printer. And so, and then he has a sticker on the computer above the USB
slot that says printer. And so he knows the thing with the printer label goes in the hole
with the printer label. And if he does that that the printer works. That's all he needs to
know. It's a good reminder that there are lots of people, people we work with and
our loved ones who are running successfully doing their day-to-day
lives with that level of understanding but they have big targets on their backs
because of that. They don't understand what's going on behind the scenes. And
then the last one here are investment scams.
And of course this has to do with cryptocurrency.
We see lots of investment scams also tied to romance scams
where someone will get a message out of the blue.
Someone will say, oh, I'm sorry, I texted you accidentally.
By the way, who are you? And where do you live?
And they'll send a picture of someone who's quite attractive.
And they'll start building a relationship, sometimes
over days, weeks, or months, that inevitably leads
to a pitch for some kind of investment.
And at that point, they have built up so much trust.
And they have done so much relationship building and love
bombing where they're just telling this person that they
are the best person and how important they are to them. And
they get the person's defenses down, go in for the kill, get
the investment scam. And now off we go people lose thousands of
dollars, hundreds of thousand dollars and even millions of dollars in some of the stories
we've covered here.
Just devastating.
I'm curious, Seamus, as we go through this list,
are there any ones in particular that stand out to you,
that you've either, through you or your loved ones,
that have affected your family, or ones that are particularly
notorious in your mind?
Well, obviously, number one is vision. It's always been around at all. It always will be around.
One thing as a cyber security professional I always get asked is,
what about AI? Can AI stop all this? Or how is AI improving things or disproving things?
Well, realistically, what AI has actually achieved
when it comes to vision is corrected spelling mistakes.
That's about it.
And it can also be used then for targeted vision.
So you mentioned first about the Facebook ads
and that I have a Facebook profile.
The last time I posted on Facebook
would have been six years ago.
I still use Facebook, I just don't post on it.
There's nothing personal there, there's no information about me there.
You know, if you want to find anything out,
you can find everything professional about me on LinkedIn.
And that's it.
But I've got no personal information shared on the internet
so people can use against me.
Because that's what AI will do.
It'll go off, search up your name on social media sites,
and it'll create a persona of a phishing attack that suits you.
Just you, very simple, very easy, and it can be done in seconds.
Seconds, and that's the thing.
So it's still always going to be primary,
and it'll hit all the notes that you as a reader will see that,
oh, maybe this is genuine.
So, you know, it's never going to go away.
But look, there's two things with phishing, either it's credential compromise or it's
to get an user to run something on the device. Simple as that, it's to gain access. With
Trial Ocarina plays we believe in zero trust, which only allows access where access is required.
We can control, although we can control the phish itself, we can control what happens in the aftermath of that.
Now, if it's credentialed, obviously we can help with that.
We just launched cloud control, which says,
even if your credentials were stolen,
if somebody tries to log in from an unauthenticated device,
the device that's not yours, it gets blocked from the line.
So it's, again, stopping that level of access as well.
Yeah. Well, and I think, you know, particularly at the corporate level,
it seems as though there's recognition of the need for these types of things
and more of these things are in place.
But I still can't help worrying about my friends and family.
They say my elderly father, and I'm looking forward to the day when those level tools
filter down and become the day-to-day things
that just operate in the background
that people don't have to worry about.
You think we're heading that way?
We are heading that way.
And as I said, my example about the Irish Comrade,
that's filtering up to the top.
So that's taking it out of the equation completely.
So imagine how many thousands of people it's going to save
from those phishing attacks, the smishing attacks,
those text messages for packages and the IRS in Ireland.
I know it's not going to happen, but the revenue service.
But that's just going to take it all out of the equation.
So again, that's taking it from the top level
all the way down to the bottom. So again, that's taking it from the top level all the way down to the bottom.
So look, it's about awareness.
It's always been about awareness.
Now, you're not going to be able to teach everybody.
And that's the unforeseen thing.
You cannot teach everybody how to be secure
and how to be safe.
Right.
I live by zero trust.
So basically, I'm very much paranoid about everything. Not in that sort of way, but I am basically I'm very much paranoid about everything.
Not in that sort of way, but I am when I'm online, I'm on my computer, the websites I go on to, or anything like that.
You mentioned Bitcoin. I do bits in Bitcoin and then cryptocurrency.
And if you start reading up anything about what's the next best thing.
Because look, everybody that's into cryptocurrencies, for one reason, is to make that 200 plus thousand profit
or more to be invested in.
But if you look on what's the next big team
in cryptocurrency, you can guarantee
the five out of the 10 teams that you look at are fake.
Completely fake, they don't exist,
all they want is the initial investment.
Because it's not even the cryptocorns.
It hasn't even been published.
And that's what they utilize.
What are people interested in? To juke them into basically taking the money.
Yeah. Yeah.
I'm curious for you, Maria.
Are there any of these things that have touched your life?
Oh my goodness. I've mentioned it a few times on the show,
but I've known people who've gotten really badly involved
with these romance scams.
And I've talked about it a couple of times also,
but even when you have people in their lives like myself
who know about these things,
or people who work in law enforcement who can speak to,
you know, the dangers of these romance scams,
a lot of times people just really want to believe
that they're true.
And it's very, very hard to disentangle them from these things.
But to your point about helping out family and friends, actually to both of us, both
of what you were saying, it's, I have, my mother's in a similar situation of, she doesn't
know a lot about how these things work and my mother is very intelligent.
But my view is she shouldn't have to know how these things work.
She's extremely smart in her own areas of expertise.
You know, this is not, this just happens to not be what she is an expert in.
So it's, as much as we try to stay on top of these things, and we should,
because it's our jobs, we have to just also remember that nobody can know everything.
And hopefully we have solutions like what you've been mentioning
that can help people not have that burden of knowledge,
because it's just not possible for everyone to do it. Yeah. Yeah.
We, you know, I think it's true that nobody is a hundred percent immune to these sorts of things,
particularly the social engineering types of things.
Every one of us has something that we love to do, if it's a hobby or an interest or, you know, a collection
that would, if sourced from something we know and trust and love,
would probably get our defenses down.
And that's not a dig against us.
We're all human and we have emotions.
And so that's what they take advantage of.
It's interesting too, just swinging back to what you were saying about not being on Facebook for so many years and doing things on LinkedIn and that sort of thing.
It really is, I think, a shame that so many of us when we have these conversations about social media platforms, it know, I guess I do this because I have to,
not because there's any real joy and pleasure so much in it.
I know there are new things in Mastodon and Blue Sky and things like that
that are doing their best, but it's a shame that we've gotten to that
where that is the point of where we are today.
Yeah, and that the best way to use them is to basically not use them.
That's the safest way to use them.
And how aggressively bad they've gotten.
I mean, I would say even in the past year,
I'm on Facebook to keep track of my friends and family
all over the United States and around the world.
And it's just remarkable to me how aggressively bad it
has gotten, including scams in front of me
and things I'm not interested in,
just ad after ad after ad.
It's maddening that they have us kind of linked into that.
Wait, that was a mixed metaphor, wasn't it?
Yeah.
All right.
All right, we are going to take a quick break
to hear a message from our show's sponsor.
break to hear a message from our show sponsor.
So let's return to our sponsor ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your
infrastructure from the ground up. Where traditional cyber
security tools require you to create a list of things you
don't want to run, ThreatLocker enables you to easily curate an allow list of everything you need in your
environment and network, and block everything else by default.
With ThreatLocker allow listing and ring-fencing, you gain a more secure approach to blocking
exploits of known and unknown vulnerabilities.
ThreatLocker provides zero trust control at the kernel level
that enables you to allow everything you need and block everything else,
including ransomware.
The ThreatLocker Zero Trust Endpoint Protection Platform deploys in a learning mode
that analyzes the operations of your company using machine learning
to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with
your data, and even East and West network traffic. We thank ThreatLocker for
sponsoring our show.
And we're back! It is time for our Catch of the Day.
Our Catch of the Day this week comes from a listener.
His name is Diesel, and he is from West Virginia.
And he received this message from the Venmo support team and the message is
we were frozen to process your recent unauthorized activity attempted.
Now, we were saying earlier that AI has helped make the English in these messages better
that it is harder to just spot the poor English
Than it used to be because of AI
This is an exception
so
See if you can spot where the AI that generated this message goes wildly off the rails. Here we go
Dear customer we inform you that we would like to proceed with a frozen transfer activity.
As you may know, a frozen transfer involves the use of cryo-preserved embryos, which
are thawed and transferred into the uterus in order to achieve a successful pregnancy. Let's see. Wow. Don't look at me. I'm not into that. Don't look at me.
That's completely normal.
Yeah.
If you disabled sign into your account by accident
through our phone line, and you do not believe
unauthorized activity or access has occurred,
you will need to verify your account
and complete the prompted steps
to regain access to your account.
And then there's a big button that says Verify Now,
and it says, Thanks, Venmo Support verify now and it says thanks Venmo support team
Obviously I'm gonna leave it to you here Seamus to unpack like walk us through
The connection of where the AI we think made a full deconection between several different things
What do you make of this? This is one hacker that actually hasn't found AI yet.
That's what I'm saying.
Really?
I mean, really?
See, my assumption was that the AI went from frozen assets
and somehow connected the word frozen to frozen embryos
and just ran with that.
And completely nonsensical and nobody
you know the bad guys they don't they don't bother to proofread anything it's
all a numbers game
and of course we want to thank this week's sponsor threat locker go to
threat locker comm slash HH and check out their Zero Trust Endpoint Protection Platform.
That's the words threat and locker with no space dot com slash HH where you can request
a demo and neutralize the threat of malware running on your devices.
And that is our show. We want to thank all of you for listening. We'd love to know what
you think of this podcast. Your feedback ensures we deliver the insights that keep us step
ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating
and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans
at n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Ivan.
We're mixed by Elliot Peltsman and Trey Hester. Peter Kielpe is our publisher.
I'm Dave Bitter.
And I'm Maria Varmasis.
And I'm James Lennon.
Thanks for listening.
Thanks for being here, everybody. Let's do it.