LPRC - CrimeScience – The Weekly Review – Episode 221 Ft. Dr. Sam Yeung
Episode Date: October 9, 2025In this episode of the LPRC CrimeScience Podcast, Cory Lowe speaks with fellow LPRC team member Dr. Sam Yeung regarding his latest Research2Practice article. Dr. Yeung explains in detail some of the l...atest social engineering scams and helps share some mitigation tactics to avoid falling victim to them. You won't want to miss this episode!
Transcript
Discussion (0)
Hi, everyone, and welcome to crime science.
In this podcast, we explore the science of crime and the practical application of this science
for loss prevention and asset protection practitioners as well as other professionals.
Good morning, good afternoon, and good evening, everyone.
My name is Corey Lowe.
I'm the director of research here at the Loss Prevention Research Council,
and I'm joined today by Dr. Sam Young.
Sam, welcome to the podcast.
Thank you for having me.
Thank you for being here.
So recently you released a new research to practice article
on a sophisticated fishing scam
in which the scammers spoof the email addresses of an organization,
then send emails back and forth to each other about an invoice,
And then those fake email addresses, one of them, forwards the invoice to a targeted company to get them to pay that fake invoice.
Now, it's a pretty complicated process to explain via a podcast.
It's pretty amazing, pretty complicated, pretty complex, and probably pretty successful.
Can you tell us a little bit about why that is such a successful scam?
I would say in one word is believability, because when someone higher up who likely has a power to approve some type of payment, the exchange would look authentic in the sense that there are back and forth across multiple parties.
and then the email address looked similar to what the target organization would look like
with some caveat, of course, that it is not really authentic, but at least it looks largely authentic
because it may have the same exact spelling, but just end with different type of organizations
such as not dot com, but dot org or dot something else.
So when you look at it initially, it looks very authentic.
Yes, and we came to be aware of this particularly complex and sophisticated scam
because we knew some organizations that were targeted by it, unfortunately.
Now, one of the key parts here is that spoofing of the email addresses,
where they make a slight change.
And in the article that you wrote, you talk about the Cambridge word scramble effect, which is what is really being used here to scam people.
I mean, it's a core piece of it.
Can you tell us a little bit about the Cambridge word scramble effect?
Yeah, sure.
So I'm not sure if our listeners are parents, but if our kids write something wrong in the sentence, misspell a word, we will still be able to guess what the word, what the intent.
kind of meaning of the word is.
It is an amazing ability in the human beings
that we are able to understand scramble words
in a sentence, even maybe 80 of the words are scramble.
So we are not really processing the word at a letter level
so that say Apple must be spelled as APB-L-E for us to understand.
It can be spelled as APLB-L-E for us to understand.
A-P-L-P-E, we will still be able to guess the meaning.
So we are processing the information at a higher level rather than every single letter.
And that is really, to us, is a disadvantage here, and it's an advantage for the bad guys,
because if something look familiar enough and we are able to process it, we put higher trust
on the source of information.
most definitely and the example that you put in the report which i'm reading right now is it doesn't
matter what order the letters are in a word only that the first and last letter are correct and those
every single one of those words that i just read are absolutely scrambled except for that first and
last letter as long as those are right we take some um shortcuts some mental shortcuts and uh and
fill in the rest and adjust the rest so that we can understand what was actually being said,
which is, like you said, pretty amazing that the human brain does that.
Also unfortunate for a lot of reasons.
One of the things that you also mention is that trust is vital, right?
We have to be able to trust who we're interacting with because if we want to get things done.
And we want to be as efficient as possible.
How does that dynamic influence the success of this type of scam?
For any type of social structure, not just in human, not just in human, trust is important.
Food animal is food smells.
For us, it is a lot more, of course.
So the bad guys are trying to gain our trust by going a little bit further,
by registering a scam domain that looks very much alike and authentic.
organization. For example, say Oracle, they may register oracle.com and then dot something else or
oracle.org. There are advantage for targeting large organizations specifically because the number of
employees there, of course, should increase as well because of the size of the company. So by doing so,
they are trying to leverage the trust that may gain from the domain name and also the public
information that is available in LinkedIn or spook press release that are certain high-profile
people maybe CFO or someone who work under CFO how they talk the style of their exchange
can be used especially with the rise of AI is it's not too complicated to recreate
such exchange through the use of AI.
Yeah.
And that's the future of this, right?
Where it'll be very easy to not only spoof an email address that looks similar,
but to be able to create videos of people that are completely made up using artificial
intelligence or audio of people's voices to do these kinds of schemes.
So it's pretty incredible what's going on out there.
Now, in the article, you also offer up several different ways to defend your organization against these types of scams.
One of the ones that you mentioned is out-of-band verification.
Can you tell us a little bit about what out-of-band verification is and contrast that to in-band verification?
Yeah.
So in band verification, it would involve verifying someone's identity.
the channel used to initiate contact. So if you receive an email about payment request,
you should check for the email exact spelling. That is in-band verification. For out-of-band
verification, it's when separate channel is used to verify a request. So if you request a text
message from someone who look alike, your boss to do something, you need to be able to verify a
full a separate type of media or channel to verify you may talk to your boss in person or email
your boss with, of course, the authentic address to double check whether the request was actually
from him or her. Yeah. So if you reached out to me and said, hey, Corey, send me a thousand dollars
because I'm such a wonderful team member and I get so much done on the team. And that was through
email, I'd reach back out to you via phone and say, did you just request this? Something like that.
And we'd probably have a longer conversation about that, because you are an awesome team member,
but that's the out-of-band versus inbound, end-band verification. Also, you mentioned things like
domain awareness, just being aware of the domain names and looking for those scrambled letters
and in the addresses.
You also mentioned access and authorization controls
in terms of who can initiate payments, things like that.
What are some of the other things that you recommended in that article?
Only allow or authorize domains so that, say, if it's LPRC,
it should only be LPRC type of domain rather than something that looks similar,
but not with the exact spelling so that you know that everything coming through
or out of the email coming in the email from authorized or trusted sources to slow down a little bit
sometimes although there may be something that is urgent but if we take a second to further process
it it may actually review a lot some of some of the requests might not be coming
be coming from authentic sources.
Yeah, I think that's absolutely key.
It's just to slow down and to encourage people to slow down and, you know,
if something seems a bit off or out of the norm,
just to go ahead and check on a little bit.
Look into it a little bit more because if it seems suspicious,
it probably is a little bit off.
Those are all very, very helpful things to do.
And I think that this is a very helpful article for those who need to avoid these types of problems.
I want to go back to something that you mentioned just now, which is the sense of urgency.
You know, sometimes you get these requests and they seem urgent because they're coming from potentially important people or people who seem like they're important or coming from their email addresses or spoofed email addresses, I should say.
But I think that sense of urgency is.
often used in these types of scams.
One of the scams I know is that it's out there
is where scammers call stores and create a sense of urgency
by saying that if the employee doesn't get money out
and deposited in a certain place,
that something won't be able to be done in time.
So I think that's a key piece of some of these scams as well,
even though it's not, it wasn't in this case.
But Sam, I just want to thank you for once again joining us today.
It's been a fantastic discussion about your recent article on these sophisticated fishing schemes.
So thank you very much for joining us.
Thank you for having me.
You have a good thing.
You as well.
Thanks for listening to the Crime Science Podcast, presented by the Loss Prevention Research Council.
If you enjoyed today's episode, you can find more crime science episodes and valuable information at LPRsearch.org.
The content provided in the Crime Science Podcast,
is for informational purposes only
and is not a substitute for legal, financial, or other advice.
Views expressed by guests of the Crime Science podcast
are those of the authors
and do not reflect the opinions or positions
of the Loss Prevention Research Council.