LPRC - CrimeScience – The Weekly Review – Episode 221 Ft. Dr. Sam Yeung

Episode Date: October 9, 2025

In this episode of the LPRC CrimeScience Podcast, Cory Lowe speaks with fellow LPRC team member Dr. Sam Yeung regarding his latest Research2Practice article. Dr. Yeung explains in detail some of the l...atest social engineering scams and helps share some mitigation tactics to avoid falling victim to them. You won't want to miss this episode!

Transcript
Discussion (0)
Starting point is 00:00:00 Hi, everyone, and welcome to crime science. In this podcast, we explore the science of crime and the practical application of this science for loss prevention and asset protection practitioners as well as other professionals. Good morning, good afternoon, and good evening, everyone. My name is Corey Lowe. I'm the director of research here at the Loss Prevention Research Council, and I'm joined today by Dr. Sam Young. Sam, welcome to the podcast.
Starting point is 00:00:28 Thank you for having me. Thank you for being here. So recently you released a new research to practice article on a sophisticated fishing scam in which the scammers spoof the email addresses of an organization, then send emails back and forth to each other about an invoice, And then those fake email addresses, one of them, forwards the invoice to a targeted company to get them to pay that fake invoice. Now, it's a pretty complicated process to explain via a podcast.
Starting point is 00:01:17 It's pretty amazing, pretty complicated, pretty complex, and probably pretty successful. Can you tell us a little bit about why that is such a successful scam? I would say in one word is believability, because when someone higher up who likely has a power to approve some type of payment, the exchange would look authentic in the sense that there are back and forth across multiple parties. and then the email address looked similar to what the target organization would look like with some caveat, of course, that it is not really authentic, but at least it looks largely authentic because it may have the same exact spelling, but just end with different type of organizations such as not dot com, but dot org or dot something else. So when you look at it initially, it looks very authentic.
Starting point is 00:02:27 Yes, and we came to be aware of this particularly complex and sophisticated scam because we knew some organizations that were targeted by it, unfortunately. Now, one of the key parts here is that spoofing of the email addresses, where they make a slight change. And in the article that you wrote, you talk about the Cambridge word scramble effect, which is what is really being used here to scam people. I mean, it's a core piece of it. Can you tell us a little bit about the Cambridge word scramble effect? Yeah, sure.
Starting point is 00:03:10 So I'm not sure if our listeners are parents, but if our kids write something wrong in the sentence, misspell a word, we will still be able to guess what the word, what the intent. kind of meaning of the word is. It is an amazing ability in the human beings that we are able to understand scramble words in a sentence, even maybe 80 of the words are scramble. So we are not really processing the word at a letter level so that say Apple must be spelled as APB-L-E for us to understand. It can be spelled as APLB-L-E for us to understand.
Starting point is 00:03:49 A-P-L-P-E, we will still be able to guess the meaning. So we are processing the information at a higher level rather than every single letter. And that is really, to us, is a disadvantage here, and it's an advantage for the bad guys, because if something look familiar enough and we are able to process it, we put higher trust on the source of information. most definitely and the example that you put in the report which i'm reading right now is it doesn't matter what order the letters are in a word only that the first and last letter are correct and those every single one of those words that i just read are absolutely scrambled except for that first and
Starting point is 00:04:39 last letter as long as those are right we take some um shortcuts some mental shortcuts and uh and fill in the rest and adjust the rest so that we can understand what was actually being said, which is, like you said, pretty amazing that the human brain does that. Also unfortunate for a lot of reasons. One of the things that you also mention is that trust is vital, right? We have to be able to trust who we're interacting with because if we want to get things done. And we want to be as efficient as possible. How does that dynamic influence the success of this type of scam?
Starting point is 00:05:20 For any type of social structure, not just in human, not just in human, trust is important. Food animal is food smells. For us, it is a lot more, of course. So the bad guys are trying to gain our trust by going a little bit further, by registering a scam domain that looks very much alike and authentic. organization. For example, say Oracle, they may register oracle.com and then dot something else or oracle.org. There are advantage for targeting large organizations specifically because the number of employees there, of course, should increase as well because of the size of the company. So by doing so,
Starting point is 00:06:10 they are trying to leverage the trust that may gain from the domain name and also the public information that is available in LinkedIn or spook press release that are certain high-profile people maybe CFO or someone who work under CFO how they talk the style of their exchange can be used especially with the rise of AI is it's not too complicated to recreate such exchange through the use of AI. Yeah. And that's the future of this, right? Where it'll be very easy to not only spoof an email address that looks similar,
Starting point is 00:06:54 but to be able to create videos of people that are completely made up using artificial intelligence or audio of people's voices to do these kinds of schemes. So it's pretty incredible what's going on out there. Now, in the article, you also offer up several different ways to defend your organization against these types of scams. One of the ones that you mentioned is out-of-band verification. Can you tell us a little bit about what out-of-band verification is and contrast that to in-band verification? Yeah. So in band verification, it would involve verifying someone's identity.
Starting point is 00:07:40 the channel used to initiate contact. So if you receive an email about payment request, you should check for the email exact spelling. That is in-band verification. For out-of-band verification, it's when separate channel is used to verify a request. So if you request a text message from someone who look alike, your boss to do something, you need to be able to verify a full a separate type of media or channel to verify you may talk to your boss in person or email your boss with, of course, the authentic address to double check whether the request was actually from him or her. Yeah. So if you reached out to me and said, hey, Corey, send me a thousand dollars because I'm such a wonderful team member and I get so much done on the team. And that was through
Starting point is 00:08:38 email, I'd reach back out to you via phone and say, did you just request this? Something like that. And we'd probably have a longer conversation about that, because you are an awesome team member, but that's the out-of-band versus inbound, end-band verification. Also, you mentioned things like domain awareness, just being aware of the domain names and looking for those scrambled letters and in the addresses. You also mentioned access and authorization controls in terms of who can initiate payments, things like that. What are some of the other things that you recommended in that article?
Starting point is 00:09:25 Only allow or authorize domains so that, say, if it's LPRC, it should only be LPRC type of domain rather than something that looks similar, but not with the exact spelling so that you know that everything coming through or out of the email coming in the email from authorized or trusted sources to slow down a little bit sometimes although there may be something that is urgent but if we take a second to further process it it may actually review a lot some of some of the requests might not be coming be coming from authentic sources. Yeah, I think that's absolutely key.
Starting point is 00:10:12 It's just to slow down and to encourage people to slow down and, you know, if something seems a bit off or out of the norm, just to go ahead and check on a little bit. Look into it a little bit more because if it seems suspicious, it probably is a little bit off. Those are all very, very helpful things to do. And I think that this is a very helpful article for those who need to avoid these types of problems. I want to go back to something that you mentioned just now, which is the sense of urgency.
Starting point is 00:10:48 You know, sometimes you get these requests and they seem urgent because they're coming from potentially important people or people who seem like they're important or coming from their email addresses or spoofed email addresses, I should say. But I think that sense of urgency is. often used in these types of scams. One of the scams I know is that it's out there is where scammers call stores and create a sense of urgency by saying that if the employee doesn't get money out and deposited in a certain place, that something won't be able to be done in time.
Starting point is 00:11:23 So I think that's a key piece of some of these scams as well, even though it's not, it wasn't in this case. But Sam, I just want to thank you for once again joining us today. It's been a fantastic discussion about your recent article on these sophisticated fishing schemes. So thank you very much for joining us. Thank you for having me. You have a good thing. You as well.
Starting point is 00:11:46 Thanks for listening to the Crime Science Podcast, presented by the Loss Prevention Research Council. If you enjoyed today's episode, you can find more crime science episodes and valuable information at LPRsearch.org. The content provided in the Crime Science Podcast, is for informational purposes only and is not a substitute for legal, financial, or other advice. Views expressed by guests of the Crime Science podcast are those of the authors and do not reflect the opinions or positions
Starting point is 00:12:16 of the Loss Prevention Research Council.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.