Passion Struck with John R. Miles - Brad Deflin on How to Stay Safe and Private Online | EP 639
Episode Date: July 18, 2025In this essential episode of Passion Struck, John R. Miles sits down with cybersecurity expert Brad Deflin, founder of Total Digital Security, to explore why digital protection is no longer o...ptional—it’s personal. As cyber threats evolve faster than ever, most people still rely on outdated solutions or remain dangerously unaware of their vulnerabilities.Brad explains how cybersecurity is no longer just an IT issue—it's a human one. From protecting your family’s privacy to preserving your professional reputation, the stakes are higher than ever. Drawing from his background in wealth management and his work with high-net-worth clients, Brad shares a clear and empowering framework for taking ownership of your digital life.Visit this link for the full show notes.Go Deeper: The Ignited LifeIf this episode stirred something in you, The Ignited Life is where the transformation continues. Each week, I share behind-the-scenes insights, science-backed tools, and personal reflections to help you turn intention into action.Subscribe🔗 and get the companion resources delivered straight to your inbox.Catch more of Brad Deflin: https://www.totaldigitalsecurity.com/If you liked the show, please leave us a review—it only takes a moment and helps us reach more people! Don’t forget to include your Twitter or Instagram handle so we can thank you personally.How to Connect with John:Connect with John on Twitter at @John_RMilesFollow him on Instagram at @John_R_MilesSubscribe to our main YouTube Channel and to our YouTube Clips ChannelFor more insights and resources, visit John’s websiteSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Transcript
Discussion (0)
Agent Nate Russo returns in Oracle III, Murder at the Grandview,
the latest installment of the gripping Audible original series.
When a reunion at an abandoned island hotel turns deadly,
Russo must untangle accident from murder.
But beware, something sinister lurks in the Grandview shadows.
Joshua Jackson delivers a bone-chilling performance
in the supernatural thriller that will keep you on the edge of your seat.
Don't let your fears take hold of you as you dive into this addictive series.
Love thrillers with a paranormal twist? The entire Oracle trilogy is available on Audible.
Listen now on Audible.
Coming up next on Passion Struck.
You have to be intentional to protect yourself in this digital age,
because nobody else is gonna do it for you.
The ISP, your internet provider, will not do it for you.
They're trying to help with certain things,
but the fact is your internet provider's sucking up
all your personal information
with everything you do back and forth.
They're part of the game.
You've got big tech and big business
constantly looking to suck up our personal information,
which invariably ends up in the wrong hands and goes sideways eventually.
You have the government that really has not been a proponent down to the individual level,
certainly on a national level or an enterprise level or a military level, but not on a consumer
individual.
You must take the initiative yourself on behalf of yourself as a head of household for your
family.
Welcome to Passion Struck.
Hi, I'm your host, John R. Miles.
And on the show, we decipher the secrets, tips,
and guidance of the world's most inspiring people
and turn their wisdom into practical advice
for you and those around you.
Our mission is to help you unlock the power
of intentionality so that you can become
the best version of yourself.
If you're new to the show, I offer advice and answer listener questions on Fridays.
We have long form interviews the rest of the week with guests ranging from astronauts to
authors, CEOs, creators, innovators, scientists, military leaders, visionaries, and athletes.
Now let's go out there and become Passionstruck.
Coming up next on Passionstruck,
welcome to episode 639 of Passionstruck.
I'm your host, John Miles, and whether you're back
for more or joining us for the first time,
I am so glad that you're here.
This month on the show, we're exploring the power to change,
a series about evolving, not just in your habits,
but in your identity, your relationships,
and how you show up in the world.
Earlier this week in episode 637,
I sat down with cultural psychologist Stephen Heine
to explore how our cultural programming
silently shapes who we become.
And in episode 638, Michelle Chalfant walked us through
the power of emotional maturity and her adult chair model for self-leadership and inner healing.
But what about the power to protect what you're building? Because let's face it, transformation
isn't just about becoming someone new. It's also about safeguarding the life you've worked so hard
to create. That's why today's episode is a little
bit different. Instead of a solo episode, I wanted to bring you this urgent conversation with
cybersecurity expert Brad Deflin, founder of Total Digital Security. A very good friend of mine has
used Brad's services in the past and thought his message is so profound that he
suggested that I do this interview for the benefit of the passion-struck
community. In a world where cyber threats are growing more personal, more invasive,
and more invisible than ever before, Brad makes one thing clear. Cyber security
isn't just a tech problem, it's a human one. Together we'll explore why digital risk is now
a personal crisis. We go into how scammers are using AI to mimic voices and hijack trust,
and most importantly the three steps you should take today to protect what you've built. This
episode is a wake-up call, but also an empowering toolkit. And if you're ready to go deeper into intentional
living and everything we do here at Passion Strut, then subscribe to The Ignited Life.
Then subscribe to our sub stack at theignitedlife.net for weekly insights. While you're there, join the
Ignition Room, our members-only community, and show your support of the community by wearing
apparel from our merchandise line. You can also follow along on YouTube at either John R. Miles or PassionStruckClips
for full episodes and bonus content.
Here's my urgent and eye-opening conversation with Brad Deflin.
Thank you for choosing PassionStruck and choosing me
to be your host and guide on your journey to creating an intentional life.
Now, let that journey begin.
your journey to creating an intentional life. Now, let that journey begin. I am so excited today to welcome Brad Deflin to Passion Struck. Welcome, Brad. Glad to
be here, John. As I talked about in my introduction, today isn't the typical episode that I do
on the podcast, but I thought it was really
important to bring you on today because I've personally lived the chaos of cyber crime.
And back when I was a senior executive at Lowe's, I was hired to deal with what at that
time was the largest retail hacking incident of its kind.
Not sure many of the passionate start listeners know that.
So I know firsthand that the threat is real,
it's evolving and on a human basis, it's deeply personal.
So I think this is a good starting point.
You walked away from a very successful financial career
to build your company total digital security.
And what did you see as the shift that was coming before most did that made you leave that
successful financial career? So it was an aha moment. It was a sudden realization that the world, the face of risk as I called it, was changing.
When you are in the financial services business
and you're dealing with ultra high net worth clients
and families and family offices like me, like I was,
everything is about risk mitigation, risk management.
And that's not just their investments, their stocks and bonds,
but it's other elements of risk.
And so we always wanted to be value added and bring up topics that weren't necessarily
directly related to the market, but were related to our clients that in many cases would be targets in crimes that others might not be
targets like kidnapping, for example.
And so I was at JP Morgan at the time, it was 2012, managing some of the bank's largest
clients around the world, multi-billion dollar families.
And we had a series of incidents with the clients
where I noticed a pattern for the very first time. And that was that they were being targeted
by hackers for a criminal transaction, that is to fake them into sending them money,
which was very different. That sounds obvious today, right?
That's what happens,
and that's what we see every day all day long.
Back then it was different.
In 2012, cyber crime was an enterprise level problem.
It was around theft of intellectual property.
It was about corporate espionage, blackmail in some cases,
state actors, Pentagon, very large enterprises,
not so much a transaction for criminal gain.
These were called black hat escapades or exploits,
if you would.
This was a very personal thing
and that was a little bit different.
And it was happening at this tier because that's where the money was.
But what we noticed with these clients is they were still using their AOL email accounts
that they may have opened in 1996, or their Yahoo accounts, or their MSN hotmail accounts.
While they were captains of industry in some cases,
and they had the best IT departments ever
in their companies.
That was not transcending into their personal life.
There were no defenses, there was no awareness,
and I coined it the democratization of cyber risk.
And what I meant was that those were the very first
indications that there was a shift where it was going of cyber risk. And what I meant was that those were the very first indications
that there was a shift where it was going to begin focusing on anybody
that was connected to the internet.
Because at that point in 2012, we all were, which was a new phenomenon.
It was coined the mobile revolution.
It was unpredicted by anybody.
But when Steve Jobs pointed to his first iPhone
and he said this changes everything, he was spot on. He wasn't talking about the iPhone necessarily.
He was talking about a supercomputer in the palm of your hand connected to five or six billion
others around the world. That's what changed. And people, the mobile revolution was all about people wanting to use their personal computer, their device, their phone, wherever they were.
The subway, Starbucks, the hotel. They didn't want to have to come home and turn on the computer under the desk and then get to work.
So then we had clouds and all of our information was dispersed and vulnerable.
And that was really the moment that kicked off this enormous cyber crime epidemic that we see today.
And so we noticed some of those fact patterns.
We realized it was the start of something very big.
And that's when we started the company. On Passionstruck, we talk a lot about human flourishing and building an intentional life.
And the reason that you're here is because of a listener of the show who had a personal experience
that they brought to my attention where because of a threat to them, they had to chase down their auto
pays, they had to freeze accounts, reset pass codes, and it basically disrupted
their life for almost two months.
And I bring this up because that's who referred me to talk to you.
And I thought it was important, but you go through all this trouble
of creating a life with intention, you start
building the life you want and creating this mass of wealth that you want to bring into
your life.
And so when you and I were talking about the need to do this episode, the thought to me
was you have to be intentional about how you protect it as well.
So my question to you is why do you believe cyber security and
our own personal security is now a pillar of living intentionally? What really attracted me
to doing this podcast with you besides having the mutual friend, the mutual client, when I looked
into your podcast and understood where you were coming from and some of the
value that you added to your listeners, I felt that it was very much aligned with the
principles and what we see is our mission here, which we describe as cybersecurity for
life.
Let's think about that a minute.
Cybersecurity for life, multiple innuendos there. And the point is that you have to be intentional
to protect yourself in this digital age
because nobody else is gonna do it for you.
The ISP, your internet provider, will not do it for you.
They're trying to help with certain things,
but the fact is your internet provider is sucking up all your personal information with everything you do back for you. They're trying to help with certain things, but the fact is your internet
provider is sucking up all your personal information with everything you do back and forth. They're part
of the game. You've got big tech, right, and big business constantly looking to suck up our personal
information, which invariably ends up in the wrong hands and goes sideways eventually.
You have the government that really has not
been a proponent down to the individual level,
certainly on a national level or an enterprise level
or a military level, but not on a consumer individual.
You must take the initiative yourself on behalf of yourself as a head
of household for your family, as a person that works with a small group. We deal
with family offices for example because again nobody's going to do it for you
and if you think that the internet service provider with their antivirus is
going to help or if you think that the little features
of it's not the perpetrators are so smart are skilled using state-of-the-art technology
for efficacy that the only way you stand a chance in this hostile environment is to intentionally
environment is to intentionally protect yourself, to take the responsibility on behalf of yourself and those that are counting on you to protect yourself
because probabilities are very high that something can go wrong and yes when it
does go wrong, recovering in two months is not bad. I've seen cases where it's
taken two years to recover.
There is a long tail to recovering.
We can talk about that in a little bit.
But my point is to get to where I believe you need to be
in today's hostile environment,
much less the future with AI,
you've got to take the first step.
You've got to take the initiative.
You've got to take the first step. You've got to take the initiative. You've got to do some critical thinking
and invest in being, protecting your personal information,
having the privacy that you seek
and being able to enjoy everything
the digital world has to offer,
including the internet and artificial intelligence,
in peace with a sense of peace.
It takes an intentional effort to accomplish that.
And I'm sure you see it on an everyday basis almost,
but I have heard it from my parents and friends
of my parents and friends of mine and other colleagues
that they're hit by ID theft,
financial fraud, in some cases,
they're even being harassed by these perpetrators.
From your view, how widespread is this epidemic
and how much is it growing in magnitude?
We see it every day, all day,
but at the end of the day or at the end of the week,
we still shake our heads with wow.
This stuff is crazy and it just keeps getting crazier. We just keep saying that over and over. But from a higher point of view beyond what we do all day every day.
The current statistics are that somebody in the US has their ID stolen every 22 seconds in the US. A citizen of ours has their ID stolen. Every 22 seconds in the US,
a citizen of ours has their identity stolen.
That amounts to something between $50 and $75 billion
in losses, those ID theft cases, according to the FBI.
And according to the FBI,
it's growing at a rate of 20 to 25 percent a year.
Overall, besides ID theft, cybercrime is now costing
global GDP about 1 percent.
About 1 percent of global GDP represents damages
or damages represent about 1 percent of global GDP,
which is almost $10 trillion.
Our estimate in damages just 18 months ago was $6.5 trillion.
That was adjusted by all the ones that run these numbers
to $10.5 trillion now.
So it's an enormous element when you put it together.
And what's really interesting, John,
and I think that has to be understood,
is that when we started in the business, 99% of these damages were enterprise state level
damages. It wasn't even on the radar screen where the consumer damages are. Today, when
you look at damages in its totality, about 70 to 80 percent of those damages are
now consumer damages.
So the overall pie of damages and exploit is growing and growing, but the portion to
consumers, individuals, everyday users of technology is even growing faster than the
overall pie.
And that brings us to where we are today.
I think I shared with you that I have a very good friend who used to be the chief information
security officer of a bank that was almost the size of JP Morgan Chase.
My understanding is JP Morgan Chase is still the largest bank in the United States.
This one was probably the second or third in term of size.
And he shared with me candidly that on a weekly basis, tens of millions of dollars would disappear
out of people's accounts and that the government would come back in and fill it back up because
they didn't want to create wide scale panic. Oftentimes the victim didn't even know it was gone
before the bank replaced it.
Do you think that's going on across all the banks
and this is just something that most people aren't aware of?
I don't know.
I don't have that inside knowledge.
It doesn't surprise me.
I wouldn't doubt it.
I do have a sense that broadly the level of damages,
the volume of damages has been under reported. I'm not sure exactly why. On one hand, I think that
if you can use a big company name in your headline, the headline is more interesting, I don't know. Or if you can say the exploit was $100 million in damages, that might be a better headline than I lost $10,000.
Right? I don't know what the reason is, but we by all means feel that this is a massively under-reported situation, certainly in the United States.
I would tell you that next time you go to a retail branch at a bank, if anybody ever does that
anymore, look to see where the line is. And you might see, they call them the private banker or
the local banker where you might want to go in and talk about getting a mortgage
or car loan, whatever.
That line to get into one of those private offices
at your local branch, more often than not,
is a line of people that have just lost money,
that are receiving texts that they don't know
if they're real or not,
are receiving emails and voicemails and they're very confused about what's happening,
and they need to talk to somebody about straightening it out.
Those indicators tell me that we have an under-reported situation here at the current time.
I just closed on a house and I have to tell you a couple things
where are always nerve wracking for me.
One is when you wire the money going through those digits so many times to
make sure that you're sending it to the right place, especially if it's a lot of
money, but you push the button for as much as people have gone to online
banking.
I was shocked this last time how difficult
it was to get an appointment in one of these branches.
I bank at a well-known bank that had probably seven or eight branch offices within about
a 10-mile radiance from me.
I could only find one appointment on the day I needed to wire the money because they're
all so busy.
So I think maybe what you're saying, you're onto something.
So for the average listener or average viewer of this, a lot of what we're talking about feels invisible until it's too late.
What are some of the most overlooked ways people are exposing themselves every day without even realizing they're doing it.
You're right. It's a very abstract subject. People struggle to see in their mind's eye, the risk,
what's going on. It's very frustrating, a very unlike traditional crime. There really aren't forensics that you can speak of
or certainly not traditional forensics.
We are not taught certain life skills.
We're taught don't walk down the dark road, dark alley,
don't cross a busy street, right?
But we're not taught necessarily about
what's the right way to use social media.
What's the art and science of using passwords?
How do you optimize your browsers to defend yourself?
Are you using MFA on every single account that you have?
Have you transcended considering MFA an inconvenience
to considering it an empowering element of
protecting yourself, an empowering element of taking the initiative and the intention
to keep yourself safe on the internet.
So we try to talk to people in ways that they can build in their mind's eye the different
elements that make a difference so that they can focus, they can pay attention, and they can develop
what we call critical thinking skills.
But you have to go back to the fundamentals and anything you work with, you have to go
back to the fundamentals and the fundamentals here are, number one, email is a very popular
attack vector. When you are at your inbox, you've got to be on your toes.
You've got to treat emails as guilty
until proven innocent, right?
And you've got to be really discriminating
around how you treat your inbox.
You've got to use good passwords.
And I can talk about that in detail
on how to use the art and science of passwords
if you want, John.
You've got to use MFA, okay?
Just before you go on, can you explain what MFA is
in case someone doesn't understand?
MFA, 2FA, two factor authentication,
it all essentially refers to the same thing.
And what it is, it's an added proof that you're the right person trying to get into that account.
It assures through two methods that you're the right two separate, completely separate
methods.
One might be, well, they know the password, okay.
But do they also have the device they say
they have with the phone number? So they can send you a code. So if you entered your password
on the website and you also got a text and entered the code that you got on your phone,
that's two factors saying you're the right guy. Just adding that additional factor of getting that code mitigates the risk of somebody having
stolen your password and getting into your email account immeasurably, like 90% is mitigated,
right?
It's one of those easy things.
So any account that makes any difference at all to you, and enable two factor authentication MFA,
they may call it and get those codes before you get in to your website.
It will make your life much more secure.
Yeah.
And it's not just that.
If had some colleagues who are on YouTube, who had successful YouTube accounts where they were
making a lot of monetization on them. They didn't have two-factor authentication on them. Someone
takes over the account and then holds them hostage and charges them a ransom to get access back to
the account. Are you also seeing things like that happening with other social media accounts?
Absolutely, all the time. And so I think the default is any online account you have
enable two factor because there may be other information that could be interesting personal
information. Maybe they won't hack the account. Maybe there's no ability to financially move money, but there would be the
ability to gather more personal information, to compose some sort of exploit because they know
certain information that's on that website. So just basic habit, enable two-factor authentication,
MFA. And I would say one more thing, especially if you're a crypto trader,
especially if you move money in motion, right, is a honey trap. That's money in motion is what
hackers are looking all over the internet for every day. In a state settlement, a closing
transaction on a home, a wire transfer, a stock option exercise that might be public, et cetera, et cetera.
If you are of that type that is moving money for whatever reason,
instead of getting SMS codes on your text, opt to get an authenticator.
That adds another level of security.
Microsoft makes an authenticator, Microsoft authenticator.
Google makes an authenticator, Google authenticator.
I prefer Google authenticator.
It's user friendly and it's easier when you get a new phone
than Microsoft is.
However, some Microsoft products require you
to use Microsoft Authenticator.
What happens though, when you use Authenticator,
is it lops off a whole nother element of risk.
And that is if the phone company has been hacked
or there's an insider at the phone company,
there's a third party that somehow is able
to get those texted codes to you, that's a risk.
When you use an authenticator, you eliminate that risk.
So again, if you're an investor, crypto trader, whatever you're wiring money around,
whatever your duties are as a fiduciary, by all means, download an authenticator
and start using it with these important accounts.
download an authenticator and start using it with these important accounts.
I use it for everything from my YouTube accounts to my social accounts to my major bank accounts. And I also use services similar to LastPass and others, help me generate strong passwords.
What would be your advice on the password side?
strong passwords. What would be your advice on the password side?
So those are great habits and I think a password manager is essential. You still have people that say I don't want all my
eggs in one basket and I understand that, but we have to
think a little bit deeper. If you keep a spreadsheet of your
passwords, all your eggs are in one basket. Whatever you're
doing, you have that risk.
The fact is though that the best password managers,
and I think most of them in the industry now,
separate the keys to the encryption of your passwords.
They're in two separate places.
So LastPass could be hacked and LastPass has been hacked, but they're not
going to get the passwords because the encryption key is someplace completely different. We prefer
OnePass. There are other good password managers, but OnePass, OnePassword I should say is the name,
is the number one password, is consistently ranked and in our our due diligence consistently is at the top in
terms of governance, technology, user experience, and really importantly, innovation.
They're now making it easier to add pass keys.
So you don't even need to enter any SMS codes because you're taking the pass key approach built into your password manager.
So all you do is click a button without entering
any codes or numbers, and you're in without compromising
any security.
So password manager is essential.
Pick one of the top ones.
They're all in the top two, three, four.
We like one password.
And let's talk for a minute about the art and science
of making passwords.
First of all, when you use a password manager,
you really only need to remember one password
and that's your master password to get in
to the password manager.
That is your vault of passwords.
That should be long and it should be unpredictable and this is why.
We've always been taught that a good password should be long, should be unpredictable,
and should be complex. That is lowercase, uppercase, numbers, symbols, right?
Honestly, complexity is not what drives a good password. Only two things drive a good password,
and that is length and lack of predictability.
Some websites still require you to add complexity,
uppercase, lowercase, and that's okay,
but you can make it easy on yourself by just putting
an exclamation point in a 1, 2,
3 after a long password.
The science of passwords is this.
If you use up to 12 or 14 characters,
and that's a long password to a lot of people,
but if you use up to 12 or 14,
anybody can buy a password hacking software program
or get it for free now on the internet.
They can hack a 12, 14 character password
in less than an hour, sometimes even minutes.
But the law of large numbers helps us. When we go to 16 characters,
that will take years to crack using these password managers. It's simply much harder to do with long chains of numbers and characters.
How, though, can you remember nobody, the human brain is not wired to remember 16, 18,
20, 22 random characters in a row?
Don't even try.
What to do is to use two, three, four words or a phrase.
It can't…don't make it predictable. Don't make it…don't make it a success in 2025.
All right? Three or four words, for example, a good password might be,
and I used this in the past. Think about this.
Cowboy, palm tree, moon, and then a number one and an exclamation point because most websites require the complexity.
Now, in my mind's eye, when I try to remember that password, I see a cowboy leaning against a palm tree on the moon.
I capitalize cowboy, P on palm tree, M on moon. It satisfies the needs for my master
password. I still write it down and put it in my sock drawer because the brain is a weird thing
and you do not want to lose that master password. You will have issues, right? But that's the way to
at least construct it. Now when you've got a long, good master password,
you get into your password manager vault
and everything else is done for you.
I have mindset to 22 characters.
My Amazon account has 22 random characters.
My all accounts have very long, complex passwords
that nobody could ever guess or hack using
any modern password hacking software.
And I will commit to you, any of the listeners, viewers, that if you just take a little bit
of time to download the password manager, get used to the user interface, and make a
habit of using it for all of your accounts, I commit to you, not
only will your life become vastly more secure online, your life will become vastly more
convenient.
You go to Amazon and Bing, it fills in 22 long characters and you're ready to go.
You're not looking around, you eliminate all that frustration and friction, and it works really well.
So we actually hold one hour, we call them computer coaches, to help people just ramp up the learning.
Here's how you look at the user interface, here's how you get started.
That expedites the learning curve, the process for individuals, and then they're on their way,
and you've got a lifetime partner in your password manager
to stay secure and be convenient.
Awesome advice.
Brad, I now wanna take us to a topic
of what's really happening under the surface right now,
especially the rise of something called the smishing triad.
What is it and why should every listener and viewer be paying attention to this emerging
threat?
Well, thank you for that question because it's a really big deal and it's something
that we must be aware of.
And I'm going to tell you why.
First of all, smishing.
We all know what phishing is.
And that is, for example, an email comes in
and it purports to be somebody else
and we've seen the awkward versions from Nigeria,
the prints and all that.
We're not talking about that.
We're talking about well-engineered,
gosh, that looks like it's from FedEx.
And my package is delayed, I better click that link.
That's what that looks like.
Well, now that's happening in texts, SMS. They're calling it smishing. Smishing is also the term that's being used to describe what we would call multi vector phishing.
are you getting the phishing email, but you're getting a text which corresponds to that email,
and you're getting a phone call that corresponds to it. It's all beautifully timed and engineered
so that your sense of it being legitimate is fooled because of the timing, the level of engineering, the level of fact and level of detail that's coming in.
You say, wow, this is a real deal. And you lose the thought of this could be phishing or this could be smishing. It's so authentic.
In addition, they're adding the element of artificial intelligence to it. The smishing triad is a group out of China. It's three, maybe four very successful
hacking groups that we have to believe are supported by the CCP because of the level
of technology they have and the amount of money they're making. It can't be off the
radar screen of the CCP. I don't believe that. The Chinese government, we believe,
is fully aware, if not involved, and supportive.
And they've added this layer of collaboration
amongst themselves and artificial intelligence
so that there are constant feedback loops.
For example, you get a text, you get a phishing email, you reply in some
way, you engage in some way. Artificial intelligence then adjusts the exploit according to how
things are taking place, pulling new information that they have on you. They have so much information.
Oh, we need this to make it look a little bit more real. They'll pull it in real time.
And it will be very difficult.
They're going to be using voice phishing.
It's going to sound like the banker.
It's going to sound like the attorney that's closing on the home.
There are going to be all of these elements put together, orchestrated by artificial intelligence
for efficacy in real time. And
our indicators are that they've got about a 60 percent success rate in these exploits.
Now, a great exploit might get three or four or five percent, which is high.
That means if you attack 100 people, three, four, five of them are gonna become victims.
Right, that's pretty good business.
And that's why every criminal syndicate in the world
is retooling for cyber.
This, they're batting 600 with this smishing triad
as a result of AI in the way that they are so sophisticated
in engineering these exploits.
It's like the goose that is laying golden eggs.
So we're already seeing, according to some resources,
a million of these attacks a day.
And it is just starting.
So I will tell every listener, every viewer on the podcast,
you 100% should expect during the course of 2025 to see this type of exploit
in some shape or form.
And that's where your awareness,
that's where your critical thinking skills,
and that's where your deliberate process of thought
is gonna have to come forward
because it's gonna be really convincing
and it's gonna challenge some of your basic survival skills
that you've learned to date.
Yeah, just to give the listeners some perspective,
the infrastructure behind this is something like
25,000 phishing domains active at once.
They're hosted through companies like Alibaba or Tencent
and the operators are running walls of phones.
My point here is this isn't some hacker
that we see on TV in a hoodie.
It's organized crime with corporate like scale.
And it almost leads me to believe,
like we're at this tipping point
of cybercrime becoming the parallel economy,
which is a scary thought.
It is a scary thought.
And the numbers, that's an interesting point, John,
because North Korea got into the cybercrime business,
primarily for the economics, right?
Their currency isn't worth anything.
They have financial issues.
And when they can be in the business of cybercrime and taking in Bitcoin, North Korea, it's an
element of their economic model at this point.
So I get what you're saying.
And with your experience in technology and your understanding
of the risk, with what you're seeing from the smishing triad, I can understand how you
could see the potentially could be a cyber crime parallel economy and digital currencies,
no less.
Yeah. And I want the listener to understand how easy this is. I right now could plug in a 10 megabyte file that has me doing a
series of my podcast into a tool.
And it does such a good job of perfecting my voice and how I talk
that I could create solo episodes and just put the text into this thing
and it'll spit things out.
And the average
listener would have no idea it was AI. Now what's scary for someone like me who's got
so much content out there is some third party could take my voice and do the same thing
and start mimicking my voice, hijacking the trust that I might have from people in my community if they're
starting to impersonate me.
And this is where I see this stuff going in the future and why I was so adamant about
wanting to do this because I think people need to wake up to how sophisticated this
stuff is all getting.
And we are seeing that in the field. A client is chairman of the board of a large
New York Stock Exchange company over 100 years on the New York Stock Exchange, primarily a
provider to the Department of Defense. So maybe that's an element of being targeted.
Had a retirement accounts 401k in a large firm, everybody would know on Wall
Street.
And his voice was replicated using AI.
And I don't want to get into the mechanics too much.
But when Merrill called to verify that he wanted to move $400,000 out of a 401k to another account someplace else,
his voice responded and approved that transfer.
And that $400 some thousand dollars was transferred out.
Yeah, it's unbelievable.
And especially here where I live in mid Florida,
we're close to an area called the Villages,
which has become a haven for a lot of retirees.
And I hear stories of how many victims there are coming out of elderly communities like
that who are some of the most prone to not keeping up with what's happening with technology
and thinking that these are well-intentioned people who end up stealing their life savings.
That's right. And I think they also have a little more sense of a trust in the individual.
I live in South Florida, Florida is the land of scams, like Southern
California, and you see the damage that's going on, especially in the elderly.
And it's really sad.
We have clients that are in their eighties and nineties that have really
suffered in, in these cases, in some cases, especially, they just trusted people
and they just went with it and the exploits were so complex, so sophisticated
that they really had no sense for what was real and wasn't real.
And before they actually woke up, they were done.
The money was gone.
The people were gone.
They were out the funds.
Yeah.
So I want to shift to something else and that's where the responsibility falls.
Individual or institutional.
Like when I was at the bank, I asked the personal banker I was working with.
If someone has a large amount of money in a bank, what is the bank's responsibility?
And they said, well, we're only insured up to 250,000.
And let's say a lot of listeners don't have 250,000 in their bank account, because that's
a lot of money.
Many assume Apple, Google, or their bank, regardless of how much money has them covered.
What's your view on how much responsibility falls
on the individual versus the institutional protection
that we're expecting?
So it's a situation that's fluid
and it's going from where the bank
or the institution that was involved
was really stepping up to help the client.
That goes back, call it pre-COVID.
You could feel pretty good that the bank was going to backstop you and was going to give you your money back,
regardless of whether the money was recovered or not.
I don't know up to what levels or what have you.
But that's shifting, I think, obviously, because of the volume of damages, the amount of damages. I will tell you that the financial institutions in this country
are really authentically, genuinely putting enormous resources into protecting their
reputations, their infrastructure, and their clients.
They take it very seriously,
and they're putting all the money it takes to do that.
If somebody, a client loses money
because the bank made a mistake,
the banks have been really good
about helping the client recover the money,
getting the funds back to the client in some shape or form.
But when it's really the client's fault, right?
The client took action that, you know,
they shouldn't have done.
Or it really was external of the banking systems
where the exploit took place.
More and more, they are not stepping up.
And I think for all the right reasons,
you can't backstab there.
It's not the model to backstop this risk.
And this is why you're getting all these emails
and all this information from banks around,
we will not contact you by SMS.
Do not do this because they're gonna have to tell you,
we're not gonna provide the money that you lost
because you took an action that we couldn't control
was outside of our systems
and we've done everything we could.
Sorry, but it's your problem.
You've got to figure it out.
It is getting harder and harder to get the banks
to attend to the individual's problem.
It's a massive situation.
A lot of resources are going toward all these incoming calls.
I've lost money because of this or this.
I need your help.
I need this information.
The bank won't say, oh my gosh, we're on it.
We're gonna put all of our resources toward it.
We're gonna stay here till we figure out
where your money went and got it back.
That's not happening.
More and more, you've gotta be the person
that is pushing the case through the bank.
You've gotta get the lawyer that is pushing the bank
to find the money.
Where did it go?
How can we get it back?
You've gotta be driving the progress
of the case more and more.
So to answer your question, John, I think that it is only realistic and it's just healthy
to again, find autonomy, take the initiative, be intentional about not relying on the bank,
not relying on a third party, not relying on anybody, but to secure
yourself in a way where these things are not going to happen in the first place.
There's something Brad that I've always felt interesting.
When I was doing large scale technology implementations in companies, everyone
would always think when a project wouldn't go correct, that it was a technology issue.
And 99 times out of 100, it was a cultural issue.
There wasn't enough change management, et cetera.
And when we had that huge hacking incident at Lowe's,
it was the same thing.
This wasn't necessarily a technology collapse,
although there was some of that.
What it really was that the passwords at the access point
were so easy to break that they were able to get in.
And then there was a lackadaisical approach
to the whole password systems throughout the whole company.
And so the vast majority of the correction
that we had to take once we bounced back from this was we did implement better technology.
We implemented security operations command center, that things.
But the thing that took the most time was we had to create a whole cultural element of explaining to everyone why cybersecurity was so important and that it wasn't just
about their personal life, it was about their self protection and their
personal lives as well.
And I found that it was almost this uncanny thing that the more senior
the people were, the less that they took the threat seriously.
Very true.
Very true.
This is why we say cybersecurity for life.
This isn't about when you're in the office,
you punch in and you punch out and it goes away, right?
This is about everyday, all day experience
as a professional in your personal life.
It doesn't go away.
And to your point about senior people,
so we deal certainly with a lot of CEOs,
even three star, four star generals that are retired
and may be on the board of a department
or defense company, for example.
They've been isolated so much.
It's, oh, the IT department's got that.
Don't worry, boss, you need a program downloaded,
I'll do it for you, boss.
And their critical thinking skills,
their level of awareness and their sophistication as a user is often much lower than just the average employee in the organization.
And to your point around it being cultural, almost always find that there was some human element,
human error element. It was not that their technology was breached. More and more hackers
are looking to hack you to get to your technology. To hack you first, that's where this smishing triad
comes in. So cybersecurity, the technology is taking care of itself. I will tell you
that the tech, so much capital has been invested in IT security, including empowering it with
AI, which is remarkable in terms of how that's used defensively, that it is up to the challenge
of even the smishing triad and the most evolved exploits that we're gonna see with AI.
It's up to the challenge.
Our challenge is to not only help people embrace
and use that defensive technology,
but to do that in a way where it also elevates
their critical thinking skills and creates a partnership
so they always have somebody to call.
I don't know whether to believe this or not.
Can I send you a screenshot?
Look at my computer.
I clicked a link maybe I shouldn't have.
Is it okay?
It's going to take an ecosystem, frankly, to stand up against the level of risk
and potential consequences that we see today.
So, Brad, what are the first three non-negotiable steps
you would recommend for the listener
to protect their digital life?
I think the basics we covered around passwords, password
management, two-factor authentication, those things.
But to build out on that a little bit,
we have what we call the three primary attack surfaces.
So again, we're building in your mind's eye
how to think about these abstract notions.
If you protect these three primary attack surfaces
sufficiently, you can mitigate this risk
all the way to the margin.
You can really mitigate this risk all the way down
to practically nothing.
The first is email, all right?
We are big proponents of privatizing your email
and we help clients do that.
Get off of free email, because it's not free.
You are the product when you're using free email
and they're taking your information and we know that story.
So we say privatize your email, get off the grid,
own your own email information,
and that mitigates that risk tremendously.
The second attack factor are devices,
whether it's your laptop, computer, phone, or what have you.
You've gotta use enterprise grade, antivirus,
data loss protection, intruder protection,
a whole stack of device-oriented protection
to protect those devices from being hacked.
So number one, email, number two, devices. Third is the network, which is now ubiquitous,
whether it's your home Wi-Fi, you're at Starbucks, you're in the lounge at the airport,
wherever it is, and you're connected to the internet through some local network, that is very much a surface of risk.
And so we use things, the modern day VPNs, that will encrypt all information so it's invisible to anybody on the outside,
that will firewall networks, even public networks anywhere in the world, so that when you're on that
network, whether again, it's Starbucks at home or some foreign airport, nobody can see
your device on the internet.
Nobody can see your contents, even over the local Starbucks Wi-Fi, and nobody can download
to your device a virus or spyware or something else nefarious.
Combined, privatizing email, protecting your devices, and securing the networks
creates an ecosystem which provides cybersecurity for life, works everywhere
all the time across all your defenses, across all your devices in real time, empowered with AI, including threat intelligence
where AI can say, you know what?
They haven't done any bad, anything bad yet, but all the indicators are they're
a bad guy, if we think they're a bad guy, we're stopping them.
It's called zero trust.
We instituted zero trust across all of this.
If it can't be authenticated, they're not allowed to play in the
sandbox with your technology.
If you do that, you really can gain a lot of peace of mind.
And again, enjoy the wonderful internet and artificial intelligence and digital
innovation that we're seeing today with a minimal amount of risk.
And again, lots of peace of mind.
It's possible, but it takes intention.
So Brad, I always ask my guests
what it is to live a passion stock life,
but today you've redefined it
that it's something you got to intentionally create,
purposely live and securely protect,
especially in the digital world that we now inhabit.
Yes. And it feels good to do it Brad, it feels good to do it.
And it feels good to do it.
And it feels good to help your family to do it because our generations need help around
the notion of privacy and personal information.
And we should be doing this now.
Brad, the last thing I always ask every guest is if people want to learn more about you
and how you might be able to help them, where's the best place they can go?
Sir, so I think I'm the only Brad Dufflin other than my son on the planet.
And you can find me anywhere on the internet because I do a lot of public speaking and
writing and what have you.
My company is Total Digital Security, a mouthful three words, total digital security.
And our website's totaldig total digital security.com.
That's just look for me or look for the company and you'll find us.
Awesome. And don't put in Brian Dufflin because that person, which I mistakenly did
is a fitness coach. Oh, no kidding. I have to look them up. Interesting.
Just one Brad Dufflin, that's me.
Brad, thank you so much for joining us today. It was really an honor to have you.
Thank you, John. I enjoyed it a lot. I appreciate being on your show.
That's a wrap on episode 639 and a crucial reminder from Brad Dafflin that living intentionally
means protecting intentionally. Whether it's identity theft, deepfake scams, or the rise of cybercrime as a service, the
threats are real, growing, and deeply personal.
Here are some takeaways I hope will stay with you.
You're not just a user.
You're a target.
AI is being weaponized to exploit your trust.
Digital protection starts with awareness, and using simple tools like password managers,
multi-factor authentication, and network security.
And most importantly, no one is coming to save your digital life but you.
If this conversation sparked something, take a moment to leave a five-star review on Apple
or Spotify.
It helps the show reach more people.
Subscribe to The Ignited Life for weekly strategies to live boldly and protect what matters and
Catch the video version of YouTube at John R. Miles. Coming up next in episode 640
I sit down with Oliver Bergman, the best-selling author of 4,000 weeks, to explore a question
We all need to ask. What if the problem isn't that we don't have enough time
ask what if the problem isn't that we don't have enough time but that we're trying to do too much with the time we have. This conversation is a powerful wake-up call for anyone feeling overwhelmed,
over-optimized, or quietly burnt out. Imperfectionism is the stance that says
the only thing that really counts is doing a bit of it today, this week. Maybe badly, maybe too
little by some standard, maybe with no confidence that you'll ever come back and do it again, maybe badly, maybe too little by some standard, maybe with no confidence that
you'll ever come back and do it again. Maybe it's just a one off. Maybe you're not about
to develop a wonderfully virtuous habit of writing your novel every single day, but you'll
be doing it. You'll be bringing it into concrete reality. It will no longer just be an idea
in your head. It will be real. And I think the big problem with a lot of ways that people
think about productivity, personal development, spirituality, all sorts of things, is that it actually reinforces
this notion like, not yet.
Until then, live boldly, lead with intention, and protect the life you've worked so hard
to create. Live life passion struck.