[music]
Wendy Battles: Welcome to the Bee Cyber Fit Podcast, where we're simplifying cybersecurity for everyone, where we cut through confusing cyberspeak and make cybersecurity simple and easy to digest. I'm one of your hosts, Wendy Battles.
James Tucciarone: And I'm James Tucciarone. Together, we're part of Yale University's Information Security Policy and Awareness Team. Our department works behind the scenes to support Yale's mission of teaching, learning, and scholarly research.
Wendy Battles: Ready to get cyber fit with us?
Hi, everyone. Welcome to another episode of the Bee Cyber Fit Podcast. This is the place to be for information and inspiration about how to stay safe online and build your cyber fitness. James, episode number 2, how are you feeling?
James Tucciarone: Very excited, Wendy.
Wendy Battles: You and me both. I cannot wait to share all the information that we have with our listeners. But before we get to all of that, James, I do want to take a moment and ask you since episode 1, have you been doing any DIYing, cooking, or baking?
James Tucciarone: Actually. Wendy, I did attempt to bake a cake this past week. So, I was trying to convert a cupcake recipe into a cake recipe and it didn't come out quite as well as I would have hoped but I gave it a try. It's a favorite cupcake that I make, so no pressure but--
Wendy Battles: [Wendy laughs] But it wasn't quite what you thought.
James Tucciarone: Definitely not.
Wendy Battles: This is your banana chocolate cupcake. Is this it?
James Tucciarone: Yes. It's banana mocha.
Wendy Battles: Banana mocha.
James Tucciarone: Yeah, yes. Everybody loves it.
Wendy Battles: Doesn't it seem like it should be simple to just kind of take this-- It's just cupcakes in a cake form. How hard could it be? Yet, these things aren't always what they seem, are they?
James Tucciarone: Not usually but I have a few ideas. I may give it another try and see how that goes.
Wendy Battles: I like that. So, you're a baker who just keeps on baking. That sounds awesome to me. Well, today we have a really great episode for you. I want to tell you the three things that we're going to share with you today. We're each going to tell you a story that hopefully will give you pause and get you thinking about today's theme, phishing. Stories with impact that will hopefully help you think twice before you take certain actions online. We're also going to share our buzzword of the day and at the end, a simple call to action to help you reinforce what we talked about today.
[music]
James Tucciarone: You've probably heard the title CEO or chief executive officer, maybe you're even familiar with the title CFO, Chief Financial Officer, and CIO, Chief Information Officer. But have you ever heard of a CSO or CISO? This is the Chief Information Security Officer. Did you know that more than half of organizations have one? Do you know if yours does? What role do they play in your workplace? Stay tuned to find out more about what a CISO does, and why the work they do is so important.
Wendy Battles: All right. Let's talk stories, let's talk cybercriminals, and let's talk about what not to do James. We're going to try to focus on what not to do, based on these stories. As we've mentioned in Episode 1, we like the power of stories, stories are compelling, and stories draw us in. We often can see ourselves in that story or understand how we may have acted a certain way. So, they can be a cautionary tale. They also help us see how easily things can happen. They help us see how sophisticated scammers have become. Back in the day, it seemed like it was very obvious to figure out, "That can't be real. It's full of grammatical and spelling errors." But today, cybercriminals are very sophisticated and it's much easier to be tricked.
We're going to also talk about how any of us, no matter our age, education, or income level, can fall for them. So, we have to be super vigilant to try to avoid it, not only for ourselves but as you hear these stories today, I'd like you to think about other people in your life you know. It could be your adult children or young adults. It could be your parents or grandparents who are online and could be susceptible to some of these things. As you're listening, think about whether there are people who could benefit from listening to this for whom this may apply.
All right, two stories, we're each going to share one. I'm going to get us started. James, let me tell you about my story, it has to do with someone who is on LinkedIn, a young person looking to get their first professional job and what happened to her when she tried this.
James Tucciarone: Okay.
Wendy Battles: She gets an invitation, an email invitation from what is a real company, it's called Splunk. It is a technology company and it comes from what looks to be a reasonable email address, info@splunkcareers.us.
James Tucciarone: Doesn't seem too far off.
Wendy Battles: Yeah. I don't think so. They then schedule an interview with a member of the HR team and this young person went and did her due diligence, she found this individual's LinkedIn profile. And that seemed pretty legit. So far, I'm thinking that doesn't seem crazy to me.
James Tucciarone: I don't think so.
Wendy Battles: Right. Now, she has a Skype chat interview and the interviewer tells her, "Please be online at a certain date and time for an update on the hiring process." She does that, she's made an offer, and then she receives a request to fill out a whole bunch of information - an employment contract, background check authorization, a direct deposit form, and a copy of her driver's license.
James Tucciarone: The usual stuff.
Wendy Battles: Yeah. Right, it's the kind of stuff that they would ask us to fill out at Yale that they asked us to fill out, so that part seems to me pretty okay. But this is what then happens. Long story short, the company tells her that they want her to purchase some equipment and it's a phone, it's a computer, it's some other things, and that they are going to give her a company credit card that she's going to then attach to her personal credit card. But she's going to get reimbursed for all this. So, she goes and she purchases the equipment, but they tell her that after she purchases the equipment, it should be mailed to a certain address because they want to put on their Splunk branding. So, they want to have the Splunk logo on the phone and the computer. What do you think about that so far? Does that sound legit to you?
James Tucciarone: I was with you up until they asked the candidate to purchase equipment, and then send it back to the company. That to me seems very weird. One of the things I think right off that is like here at Yale, we have a procurement office, and they have contracts with lots of different companies, especially for the purchase of equipment, not only so that they can make sure that they're getting what they expect, but also so that they can try to get some discounts on all of these products that they're purchasing.
Wendy Battles: Exactly, exactly. I think that is probably true of other companies too, that you wouldn't necessarily be going out-- especially at a big company, to ask people to go out and buy something and waste time searching around for it. It seems like if anything, it would be a link you go to get this stuff to request it and then it's sent to you. Can you imagine, though, that if you're a young person, you haven't had a professional job, how you might not know any of this?
James Tucciarone: Absolutely.
Wendy Battles: Right. So, it's that cautionary tale, that's how I think people could fall for this. So, this is what happens after that. She buys the equipment, and then she goes to UPS and she ships it but as soon as she ships it, she has this feeling. You know that feeling you get, James when you know something just doesn't feel right? Sometimes, we can't put a finger on it, but you just kind of know, your intuition is telling you, "I don't feel good about this." So, she reached out to some friends and colleagues and explained the situation and they suggested that she reach out to the HR department directly, because they thought it seemed a little sketchy. Just like you were, "I don't know about this," that's what they thought too. She reaches out to the HR department and learns that is in fact a scam, and that Splunk would never ask a potential employee to do all this. Luckily, she was able to-- because it was immediate, she literally was able to cancel the shipping via UPS and talk to her credit card company to avoid any charges.
So, that's pretty compelling to me, because hundreds of thousands of people are looking for jobs. And not just young people, it can be people of any age and with the sophisticated way that job searches are done now, everything being online, and having this kind of communication with potential employers that could be via LinkedIn or one of many websites, etc., I could see how this could happen.
James Tucciarone: Definitely. This was a very compelling scam. The cybercriminals are definitely taking advantage of our emotional state, and the excitement about being offered a job. What I will say, though, is that I did notice a couple of things over the course of this story that could have been considered red flags. One thing is, there were some typos in the communications that were going back and forth. I mean, it was a messaging app, via Skype, so people are, I think, a little more casual. But still for somebody that's offering you an official position, if they're an official representative for the organization, hopefully, they would spellcheck or at least review their draft before they send it over. One of the other things I questioned was, did this person actually receive an official job letter? I know here at Yale, we do still receive official job letters or an official job offer, when we're accepting a position. So, did this individual receive an official job offer from the company?
Wendy Battles: James, I do understand exactly what you're saying and just like anything, the basic things we would do to see if something seems legitimate, we'd still want to do to check for grammar, misspellings, hovering over the sender's email address. What I liked about this story is that she did a fair amount of due diligence on the front end.
James Tucciarone: Right.
Wendy Battles: She already was thinking "is this legitimate?" for her to go to LinkedIn. Look for the person who allegedly was the person from HR, they had a profile. So, that seems legitimate.
James Tucciarone: These scammers also did their due diligence. They looked at somebody in the organization that they could actually impersonate to convince this person that they were an official person from the company.
Wendy Battles: Exactly, exactly. We just have to be on our cybersecurity toes when it comes to this. And both trust our gut, but also look for the things that might be red flags. We sort of do both of those things to help us look for. Not that we want to be skeptical of everything but I think some healthy skepticism in this day in age is really important when it comes to building our cyber fitness.
James Tucciarone: It's super important. I think, like you also said trusting your gut, we say that all the time here right and it's true. People, I think, have sort of an innate understanding if they're being scammed or if something's legitimate. And often, I think we just have to take a beat and trust our gut.
Wendy Battles: Yeah. Absolutely, absolutely. So, that's my story. Tell us about yours.
[music]
James Tucciarone: All right. I have a story from ZDNet. It's about a sneaky new tactic that bad actors are using to try to steal our credentials and steal our financial information. It's a rise in what they're calling a hybrid phishing attack. Basically, what's happening is scammers are sending emails to potential victims claiming to be their banks, the police, the government, any sort of organization that you would actually take note of if they reached out to you, and they're contacting these victims by email. But instead of including a malicious link or a malicious attachment, they're actually including a phone number and advising people to call them back. Now, when the victim calls them back, of course, they reach a human being who is impersonating an official representative from the police or your bank or the government and they're telling you, "Hey, we're going to help you with the problem we just discussed in the email." But what they're actually doing is fooling you into giving them information that they can use to take advantage of you.
Wendy Battles: That is sneaky.
James Tucciarone: It really is.
Wendy Battles: The thing that really strikes me about that James, is that I feel like we've been trained to look for the links and the attachments and we've learned so often don't click on it, don't open it, but to not even have that, I could see how people can be, "Oh, okay, it's a phone number. Let me call them."
James Tucciarone: Right. It makes it a lot more difficult to identify that it's a potential scam as well because, like you said, there's no link. There's just a phone number. These emails can be designed now to be so convincing, having brand logos or the right content--
Wendy Battles: Yeah.
James Tucciarone: --and now you have a phone number, and you're like, "Jeez, let me call them back." So, the key thing here is because there are no links or attachments in the email, these phishing messages are actually bypassing a lot of filters that would normally keep these spam messages out. And that means that more people are getting them and then more people are potentially responding to them, which the article actually mentions that the increase in these types of attacks has been 625% just over the past year.
Wendy Battles: That is crazy, 625%. That's just seems-- I mean, it's just so big.
James Tucciarone: It is and to be fair, I will say since it is a relatively new type of scam, I'm sure that the increase is because originally, the number was zero or some other low number. But still, I think it does speak to the fact that they are on the rise and it is a really sneaky way for them to try get and get at us.
Wendy Battles: Yeah. I can see with people being so busy and distracted, number one, how people could fall for that and as they're quickly going through their email, say, "Oh, okay, I better take care of this. This is my money--" or whatever the company is, so I can see already how some people would want to call.
James Tucciarone: Absolutely. Just like we were saying before, once again, they're playing on our emotions. In this case, it is fear and also urgency. Because if you receive a message from your bank about your account being locked, or about a suspicious transaction, or from the police, or from the government, you're going to want to act quickly. And of course, you might be nervous about, "Jeez, what's actually going on?"
Wendy Battles: Exactly. I think curious minds, we want to know, and I don't think it's unusual to want to take action. What you said earlier too, that this is something new, just reminds me that these new things pop up all the time. Every time we think we might have gotten a handle on some of the ways that cybercriminals are getting after us and we should pay attention, there are always new ways and new things that we haven't even thought of that they're working on and probably already have in development that will be the next new thing.
James Tucciarone: Wendy, that's why we all need help from people like the information security teams, people like ourselves, and people like our chief information security officer. And with that, I think we can jump into our buzzword of the day.
Wendy Battles: Absolutely, James. Let's do it.
[music]
James Tucciarone: Here's the buzz on chief information security officers. Before there were any CISOs, most organizations relied on the IT professionals dedicated to their infrastructure security. With digital data having replaced filing cabinets and working across networks now commonplace, the protection of that digital data and those other resources becomes increasingly critical. And that leads us to the CISO, the executive acting as the senior information security representative. They're responsible for ensuring an organization is properly protecting its information technology footprint, and balancing security needs with the organization's strategic goals. Generally speaking, a CISO develops security policies, plans for a response to security incidents, and keeps our work safe from digital threats. They are really our knights in shining armor when it comes to protecting our organizations and our work from cybercriminals. Meet Yale's current CISO, Jeremy Rosenberg, on the next episode of Bee Cyber Fit. He'll share his story, offer simple tips to stay safe and reveal what he sees as our biggest threats.
Wendy Battles: So, now you know a little bit about a CISO and you know a lot about phishing. It is time for our call to action. It's not just enough to listen and hear about this. We'd like you to build your skills and become more cyber fit, build that cyber muscle. We'd love for you to test your click-with-caution knowledge with a phishing quiz. We have linked to it in the show notes. It's a simple way for you to work on your discernment skills. Are you able to discern and identify the things in these emails that seem askew or make you raise your eyebrows?
James Tucciarone: Wendy, I think people will actually be surprised. I know that I got a few wrong myself and didn't think I would.
Wendy Battles: Yeah. James, you're right. Seasoned professionals like us, we still get it wrong, which goes back to what you said before that any of us, no matter our age, education level, experience, etc., can fall victim to these things for a host of different reasons. So, we hope this helps you build your cyber muscle.
[music]
James Tucciarone: That's all we have for you today. So, until next time, I'm here with Wendy Battles, and I'm James Tucciarone. We'd like to thank everyone who helps make this podcast possible. Of course, we'd also like to thank Yale University where this podcast is produced and recorded.
Wendy Battles: Thanks again, everyone, for listening, and we look forward to sharing our next episode with our special guest, Jeremy Rosenberg, the Chief Information Security Officer at Yale University. Until then, remember, it only takes simple steps to be cyber fit.
[Transcript provided by SpeechDocs Podcast Transcription]