Front Burner - Think you’re too smart to be scammed? Think again.
Episode Date: May 10, 2024Whether it’s a complex network of fake online designer shops set up to get your credit card details, a scammer impersonating your bank’s fraud department to get more personal information, or a sim...ple “How are you today?” text that might lead to asking you to invest in a crypto scheme…scams are on the rise. And they are getting more sophisticated.Today on the show, David Reevely, who covers cybersecurity for The Logic, on the evolution of scamming and what you can do to guard against it.For transcripts of Front Burner, please visit: https://www.cbc.ca/radio/frontburner/transcriptsTranscripts of each episode will be made available by the next workday.
Transcript
Discussion (0)
In the Dragon's Den, a simple pitch can lead to a life-changing connection.
Watch new episodes of Dragon's Den free on CBC Gem. Brought to you in part by National Angel
Capital Organization, empowering Canada's entrepreneurs through angel investment and
industry connections. This is a CBC Podcast.
Hi, I'm Jamie Poisson.
So here are a few texts some of us here at the podcast have gotten lately.
Excuse me, are you working today?
A wave emoji.
How's it going today?
Are you okay?
Do you want to come over for dinner?
I'm barbecuing.
Our executive producer's wife found herself on two different phone calls the other day with two different people, both of whom said that they were reps at her bank.
It all got so confusing.
At one point, she lost track of who the real bank rep was and who was the scammer.
Or maybe you caught this recent article published by The Cut
that completely broke the internet. Their financial advice columnist put 50k in a shoebox
and handed it over to scammers who said that they were CIA agents. The whole thing was wildly
elaborate. This is all to say that scams are on the rise and they are getting better.
And if you think that you're too smart to fall for one, well, I am not sure that we should all be so cocky.
Today on the show, the evolution of scamming and what you can do to guard against it.
David Reveley is here. He reports on cybersecurity at The Logic.
David, hey, thanks so much for coming on to FrontBurner.
Great to be with you.
I'm actually really looking forward to this conversation. So we were all sitting around the office the other day, just rhyming off all the scammy text messages we all keep getting.
So when I get a message like, you must be busy today.
How are you doing?
What might be happening there?
What is the possible scammer trying to get me to do?
Just reply.
They are casting a great big huge net and seeing what comes back.
And this is a relatively new technique, which is,
I think, why it stands out. But you get these sort of non-committal, non-detailed inquiries about how
you are from phone numbers you don't recognize. The idea is that, you know, maybe you have a new
phone or maybe you have a friend who has a new phone or some other little change like that has
happened. Somebody approaches you in a familiar way and you start engaging with them.
Like, just give me an example of what could potentially happen there.
So let's say you answer this question, oh, you know, I'm really busy today,
work's driving me crazy. And the person starts asking some questions about that and then asks if maybe you want to talk about it.
Or they say that they're actually a friend of a friend and they are getting in touch about a job opportunity or something that your supposed mutual friend mentioned to them.
supposed mutual friend mentioned to them. And it can be a very long game that some of these people play of essentially befriending you and then getting you to either reveal little tidbits of
information about yourself or occasionally manipulate you into sending them money.
So there are kind of two streams here. One is scamming you directly and the other is using you to breach
cybersecurity. And they both tend to start the same way with just making this initial contact
and getting you on the line. And then they can diverge in different directions depending on
what the bad actor is trying to do. Yeah. I've seen a lot of these. They're also,
Yeah. I've seen a lot of these. They're also, they kind of devolve into like crypto schemes too, right?
Yeah, often.
I did get one of these texts yesterday. It was someone pretending to be my mom. Just how would they to every phone number in an exchange or a full list of cell phone numbers that they got.
The numbers can receive text messages.
These are kind of the equivalent of old-timey cold calls from actual real telemarketers, which used to be annoying and now seem almost quaint.
This week on Marketplace.
They are harassing us.
This is Sam from the cleaning service.
Telemarketers from hell.
We're out to catch them breaking the rules.
They're just casting huge nets and seeing what they get.
Posing as a friend, posing as a delivery person,
posing as someone from your bank, posing as your mom.
The more information there is about you on the internet,
the more
refined someone's pitch might be. And someone like you, you have a presence on the net and
people have written about you here and there over many, many years. There's actually a lot
of information that somebody can potentially build a profile on you using. Elaborate on that a little
bit more for me, the ways in which these scammers are trying to build a profile on me using. Elaborate on that a little bit more for me, the ways in which these scammers
are trying to build a profile on me, like for sure Googling me, but like how else would they,
you know, potentially be trying to get information about me that they can use in their scamming?
There is an enormous amount of information available about all of us through our various interactions with businesses primarily.
Credit scores and credit information, credit card information, direct mail stuff.
You contribute to a charity and they get your email address, potentially your physical mailing
address, just all kinds of stuff.
And it mostly sits in databases unused, but people can either hack into those databases and get the information for free, or they can just buy these profiles of people.
And oftentimes the trick is combining all this commercially available data with real world information about a live person. It's one thing to get sort of de-identified,
anonymized, aggregate data about one business's customers.
It's something else to connect that to somebody with an actual name
and their personal email address
and where they live and details about their families.
That is often what someone who is approaching you
via a text message in the
first place is trying to do, is find people who they can connect to much more detailed profiles
that are available out there, but without your name necessarily attached. And then you can find
out an awful lot about someone and in the case of an identity theft, actually pose as them sometimes.
So let's talk about some examples of that.
I need to talk to you about this scam that I mentioned in the intro that literally broke the internet a while back.
So it was published in The Cut, as I mentioned, and it involved their financial advice columnist. And basically, this piece explains an unbelievably elaborate scam
where this fake agent with the Federal Trade Commission convinces this journalist that the
financial advice columnist that her identity had been stolen and that she had been embroiled in
this international ring involving drug smuggling and money laundering and CIA officers.
It's really wild.
Like a bunch of stuff happens and then she puts $50,000 in a shoebox and hands it over in a bid to keep her money, quote unquote, safe.
Obviously, it was not safe.
A lot of people couldn't believe how gullible this woman was.
But I'm curious, like when you read that piece, given what you spend so much time looking at, like what was going through your mind?
What is amazing about this story is the detail that she shares and the fact that she is kind of the ultimate example of a sophisticated person who should not be vulnerable to these kinds of things.
And I imagine that of myself and you imagine that of yourself and she certainly imagined
it of herself.
But we are all human beings and people who really know what they're doing can use psychological
tricks and just a little bit of information about you to keep you off balance.
And the techniques that you see in that story, they can work on just about anybody.
There's this, it's a military idea that you try to overwhelm the enemy's capacity to make decisions,
just have so much going on all of a sudden from all directions that they can't function. And that's really what the story describes. They just kind of keep her moving.
They never let her get her feet under herself. And by the end, she's done this absolutely insane
thing that she recognizes in retrospect is absolutely insane. I think she said like they
even had her social security number. Like that's something that, you know, if I'm being really honest with myself, like I'd like to think I'm, you know, not vulnerable to this kind of stuff.
But like that would have me kind of, oh, maybe this is legit.
Like how else would you have this number, right?
The thing to do in a situation like that is to kind of not keep following the chain that they are pushing you
along, not follow the track that they're pushing you along. You stop, you call them back at a
number that you find, not a number that they give you. And just picking up on this idea that it's
shocking or was surprising to people that this happened to her considering who she was, right?
The financial advice column is pretty financially literate. But there's a bunch of research that actually backs up that younger adults,
so like Gen Zs, millennials, Gen X, they are very much falling for this kind of stuff. And,
you know, another study that was cited in her piece is that well-educated people or those with
good jobs were just as vulnerable to scams as everyone else. I just, I also found that quite interesting. Yeah. I think people who are well-educated and think
of themselves as sophisticated in some ways are easier to con by somebody who knows what they're
doing because they think they wouldn't fall for it. We also tend to have, they're called attack
surfaces. We have larger attack surfaces. We have more of our
lives online. We have more of our information online. We have more passwords for more accounts
on services that we don't use anymore that are vulnerable to breaches. There's just,
we're out there more. And that gives someone who wants to scam us many more opportunities,
many more ways of doing it. In the Dragon's Den, a simple pitch can lead to a life-changing connection.
Watch new episodes of Dragon's Den free on CBC Gem.
Brought to you in part by National Angel Capital Organization.
Empowering Canada's entrepreneurs through angel investment and industry connections.
Hi, it's Ramit Sethi here.
You may have seen my money show on Netflix.
I've been talking about money for 20 years.
I've talked to millions of people,
and I have some startling numbers to share with you.
Did you know that of the people I speak to,
50% of them do not know their own household income?
That's not a typo, 50%.
That's because money is confusing.
In my new book and podcast, Money for Couples,
I help you and your partner create a
financial vision together. To listen to this podcast, just search for Money for Couples.
So, you know, the example that we just talked about, that's an example of how people like you
and me get scammed by having our own information used against us. But there are also examples of
scammers scamming employees at companies pretending to be people like you and me,
right? Like pretending to be customers. And I'm thinking of a story that you wrote a while back
where a scammer scammed a Rogers employee. And just tell me a little bit more about that.
Yeah, that was a multi-stage scam. And I think that illustrates the many steps that there can be here.
What ultimately happened was some bad guys got into and cleaned out somebody's cryptocurrency wallet.
But the way they did it was they managed to convince Rogers that they were a Rogers customer, the owner of this cryptocurrency wallet.
that they were a Rogers customer, the owner of this cryptocurrency wallet,
by feeding small details about the customer's life and personal details to a Rogers customer service operator. And they managed to convince Rogers to transfer the customer's cell phone number to a different cell phone,
one that the scammers had.
And that meant that they could get access to things like passwords on certain accounts that
use phone numbers and that sort of thing as authentication and that send text messages
as second factor authentication. Essentially, they managed to steal the person's phone without
actually stealing their phone and then use that to get into all sorts of accounts. And that ended up in litigation.
Everybody was suing everybody else. Rogers insisted that the customer had been lax in
protecting their personal data. The customer insisted that Rogers had too freely given away
access to the customer's cell phone number.
The cryptocurrency company got sued.
And I don't know that that case has been resolved yet.
It may have been, but it really illustrates how hard it is to figure out who is actually
responsible for these things.
There's another one just in BC, actually, that's come up.
It's a very, very similar case.
This one involving a different cell phone company and a different cryptocurrency wallet,
but the process was exactly the same. Somebody posed as a customer, got control,
virtual control of their cell phone, basically, cloned their cell phone, and then used it to
clean out tens of thousands of dollars of cryptocurrency holdings.
Wow. This is really unnerving, thinking that something like this
could happen, and then it's very unclear who is on the hook for it. I guess one thing I was just
thinking about is, is it even possible at this point to get insurance for something like this,
considering it's such a wild west out there for whether the companies are responsible if they're
the ones that end up handing over the information? This is the problem. It is very hard to quantify the risks involved in cybersecurity breaches,
whether they're personal or corporate. And insurance companies don't like writing insurance
policies for risks that are hard to quantify. So to the extent that these sorts of things exist at
all, these sorts of policies exist at all, they tend to be really expensive because the insurance companies don't want to end up caught out.
Yeah.
Another scam that we're seeing a lot of is fake websites, right? from The Guardian and a couple other outlets just this week of this vast network of fake online designer shops that apparently have allegedly duped around 800,000 people into offering up their credit card information.
So they're like offering discounted goods for stuff like Dior and Nike and Prada.
And just what's different about the kind of scams we're seeing now around these websites versus even 10 years ago?
What's changed about this is the use of artificial intelligence.
It is way easier to whip up a quickie scam website than it has ever been before.
And it's easier to use generative AI tools, you know, things akin to chat GPT, to convincingly pose as somebody else. It used to be that if you were going to do
this, it was kind of either you sent out spam that was identical to a zillion people, or you had to
handcraft all of these communications to the point where any one target was probably not worth all
the effort. But with the help of generative AI tools, you can actually do this at scale and
have your communications be much more convincing, whether those communications are text messages or emails or entire websites that just look different but the information on the Internet is about us on the Internet is used by hackers,
either through profiles that can be bought or information that is hacked.
And for the information that's hacked, what locations are these hackers targeting?
And do you think that those companies or government entities are doing enough to protect themselves from these hackers?
This is where I do not have good news.
these hackers? This is where I do not have good news. When it comes to protecting yourself directly, the old ways of not reusing passwords and not trusting a deal that seems too good to
be true, that can go a long way. Hackers have been increasingly doing what are called supply
chain hacks. And that means breaking into companies that handle a lot of data for other
companies. So that can be anything from cloud service providers, and those tend to be pretty
large and pretty good at cybersecurity, all the way to niche services that do things like
transfer files, quote unquote, securely for financial institutions and
for governments and for other businesses. These are companies that invest a great deal in
cybersecurity, but ultimately they are one basket that is carrying an enormous quantity of eggs.
And if you can get into that basket, then you can get access to a whole lot of stuff.
you can get into that basket, then you can get access to a whole lot of stuff. We did a story not too long ago about McKinsey Financial, which had not itself been hacked by but one of its
vendors was hacked. A vendor of one of Canada's largest investment firms was the target of a
cyber attack, exposing client names, social insurance, and home addresses as well. Toronto-based McKenzie Investments, third-party merchant, Investor.com.ing,
had their clients' information leaked in a compromised data transfer.
And this is an outfit that handles investments for, I don't even know how many Canadians,
probably hundreds of thousands, and has dealings with many more.
Their cybersecurity was not the problem,
but their vendors' cybersecurity was.
So those supply chain hacks,
unfortunately, you yourself as an individual consumer cannot do very much about them.
So that is where legislation and industry standards
and nuclear investigations by privacy
and data commissioners come in,
because that is the kind of hack that I think we need the authorities to protect us from.
Right. And fair for me to say, like, you know, they're probably not where they need to be right now.
I think the evidence is that no, they are not.
If they were where they needed to be, then I would not be doing stories about them.
No, they are not.
If they were where they needed to be, then I would not be doing stories about them.
I know this might be a pretty broad question, and I would imagine that there is quite a bit of variety in here.
But what do we know about who the scammers actually are?
Who's doing this?
There's a huge variety, and what you find is data and information can be sold from one outfit to the next to the next to the next.
There have been stories about these fraud farms, which are horrifying tales in themselves. in Southeast Asia, where there are even bleaker versions of the scam farms in India, where people
phone up and try to get you to agree to some service that you don't actually need and they're
not going to provide. In some cases, these are people who are essentially, they've been human
trafficked into doing this kind of corrupt work. Now, survivors of alleged abuse in Myanmar have been speaking to DW about
their horrifying treatment inside a secretive so-called scam factory. Held against their will
in an operation involving crime syndicates, these victims of human trafficking are forced to execute
cryptocurrency fraud. They are the ones kind of at ground level, just trying to make the initial contact
by sending these text messages and making these initial scam calls. And then once they get
somebody on the line, that information suddenly becomes more valuable. It's not just a phone
number. It's a phone number with a person on the other end who will answer. And they start
building up the profile and that information gets sold along and then that information gets sold along
and added to and compiled into,
you know, in the honorable world,
we might call those good leads for a salesperson,
someone who actually wants to buy the product.
Well, these are good leads for scammers
and they start out with these huge
kind of drift net operations,
just sucking up every little bit of information they can.
But the more refined and compiled the profile gets,
the more valuable it is.
And at the very top end,
you get even nation state actors
buying access to this kind of thing.
If you can put together a lot of information
about someone who's in the military,
someone who works for the government, someone who has a high-level tech job in Canada, a company like Bell or
a company like Shopify.
That information is more valuable than someone who's willing to give their credit card to
buy some shoes that don't exist.
So there's this whole iceberg where it starts at the very bottom and then up at the
very top. Those are kind of at the very top are the journalistically kind of the fun stories,
but also the truly horrifying ones and the ones that actually can put us all at risk.
Right. David, this was so interesting. Thank you so much for coming by.
We really, really appreciate it.
Thanks so much. I like talking about it.
All right, that is all for this week. FrontBurner was produced this week by Matt Alma,
Allie Janes, Matt Mews, and Derek Vanderwyk. Sound design was by Mackenzie Cameron, Sam McNulty,
Derek Vanderwyk.
Sound design was by Mackenzie Cameron,
Sam McNulty, and Dev Modi.
Music is by Joseph Chabison.
Our senior producer is Elaine Chao.
Our executive producer is Nick McCabe-Locos,
and I'm Jamie Poisson.
Thanks so much for listening,
and we'll talk to you on Monday. Thank you.
For more CBC Podcasts, go to cbc.ca slash podcasts.