[Bee Cyber Fit intro]
Wendy Battles: Welcome to the Bee Cyber Fit Podcast, where we're simplifying cybersecurity for everyone, where we cut through confusing cyber speak and make cybersecurity simple and easy to digest. I'm one of your hosts, Wendy Battles.
James Tucciarone: I'm James Tucciarone, together we're part of Yale University's Information Security Policy and Awareness Team. Our department works behind the scenes to support Yale's mission of teaching, learning, and scholarly research.
Wendy Battles: Ready to get cyber fit with us?
[Bee Cyber Fit intro theme]
Wendy Battles: Hey, everyone, welcome back to the Bee Cyber Fit Podcast and welcome to all of our new listeners. If you're tuning in, then you're most likely interested in knowing more about how to be cyber-safe.
James Tucciarone: And this is definitely the place to be for engaging, eye-opening and maybe even inspiring stories about cybersecurity and cyber scams.
Wendy Battles: Today, we've got some great stories to share, our buzzword of the day, and a simple call to action.
James Tucciarone: Wendy, I'm actually really excited about this episode, because I feel we're starting to see the bigger picture and starting to see what some people call the anatomy of a hack. But before we dive in, let's introduce our buzzword of the day, which is about a common technique bad actors use in cyber scams.
What do you think about when you hear the word spoof? Maybe funny or exaggerated imitations come to mind. Or, maybe it's tricks, jokes, and hoaxes? But did any of you associate cybersecurity with the term spoof? Stay tuned for a breakdown of what spoofing is, and how it's used in cyber scams.
Wendy Battles: Now, James, we've talked a lot about how cyber criminals tried to fool us into thinking there's somebody they're not, and that's what our first headline is about today. Check Points brand phishing report for the third quarter of 2022 shows that shipping company DHL, actually appears in the most phishing attempts.
James Tucciarone: It's actually really surprising, Wendy.
Wendy Battles: Well, it is. Number one, when I hear DHL, I think, totally irrelevant [chuckles] because when I think of shipping, I think of UPS, I think of FedEx, it is very rare, I even see a DHL truck.
James Tucciarone: Same.
Wendy Battles: But what I've come to realize, James, is just because that might be what I perceive, or what I experienced, it doesn't mean that's true for everyone. And DHL is a huge company worldwide.
James Tucciarone: Very true.
Wendy Battles: I also thought it was interesting that companies that we know, like Microsoft, LinkedIn Walmart, and Instagram are also on that list because many of these brands we use regularly. I am almost every day on LinkedIn and Instagram. I use Microsoft products. So, this might give some of our listeners some pause in thinking about those brands that cybercriminals are targeting a lot these days.
James Tucciarone: Absolutely. A couple that really stood out for me were Google and WhatsApp, both of which I use. But the big one for me was Netflix. And that's what I'm actually going to share some stories about today. My first one was covered by ABC's Denver7. And just recently, a woman from Denver received a text message from "Netflix," saying that they couldn't process her payment, which doesn't seem too crazy. I mean, a lot of businesses do send us text message alerts, so they provided her with a link to reenter her information. At first, it seemed like a legitimate website. She goes on to say that she actually entered her password. And when she reached the next screen, she started to see some things that didn't quite add up. The two big ones were that she noticed a foreign number and that the web address was off. So, as you might have already guessed, it did turn out to be a fake website. But the thing I really liked about this story is that afterward, she took to social media to inform and warn others. She was kind of like a neighborhood cybersecurity champion, where she was empowering others to increase their own cybersecurity fitness.
Wendy Battles: James, I love that she felt empowered, and not embarrassed to share because that happens a lot, that people feel shame or they feel disappointed in themselves that something happened to them. But her willingness to take that as a learning opportunity for herself and for other people is something that I very much commend.
James Tucciarone: Absolutely, you're totally right. I think that a lot of people feel that there is a stigma about being a victim to cybercrime. And it's really awesome, that wasn't the case here. My second story is very similar, and also about Netflix. It was published by cybernews.com. And right off the bat, I really love the headline, "Bad actors star in Netflix phishing scam."
Wendy Battles: I like that.
James Tucciarone: The story breaks down the typical Netflix phishing scam. But it also offers a new twist, which is the use of a zipped attachment that contains an entire website in files that can be viewed offline. And because the website is being viewed offline, and not over the internet, the bad actors can make the website appear to use real legitimate URLs, and also bypass a number of different security checks.
Wendy Battles: So, basically, a lot of trickery, on their part.
James Tucciarone: Exactly.
Wendy Battles: That's an interesting twist. And it reminds me that there are honestly endless ways for us to be tricked, some more obvious than others.
James, that's a great segue into talking about my story about trickery. And it's a little different because it focuses on gift card scams. In this case, it's about one of our top brands, one of the ones we mentioned earlier, Walmart. I know many of us shop at Walmart, either online or in the store. But just because it's a trusted, well-known brand, doesn't mean we can't get scammed as we talked about earlier. And I'll share in the story.
I do want to tease it with the idea that there's a semi–happy ending based on some technology that was developed by Walmart, that has given some of the people that were victims of the scam some of their money back. Here's what happened. As we often see, scammers like to target senior citizens. And they did that very effectively in getting people to purchase gift cards. And it's a huge problem. Each year, it's reported that there is an increase in the amount of money that's lost to gift card fraud. And I'll just point out that Yale University is not immune. We have had members of our community that have fallen victim to gift card scams when they received an email that seemed like it was coming from their manager or from a dean of the department that seemed pretty official. And they actually went out and bought the gift cards and ended up losing money. So, it's a reminder that it's not just older people, it could be any of us at any age to which this can happen.
James Tucciarone: Absolutely. Wendy, I'll also mention that we featured a story in a recent edition of our Bee Cyber Fit newsletter, where one of our interns fell victim to a gift card scam as well.
Wendy Battles: Right. Young people, older people, people everywhere in between, it can happen to any of us. I'm glad you mentioned that article, James. We've included a link in the show notes. If you'd like to read more about this experience our intern had, it was really quite compelling. Let me tell you a little bit about how it works with gift card scams, especially when it comes to seniors. The scammer phones the senior and purports to be from a government agency or some kind of official-sounding business. They tell them that they must purchase gift cards immediately to resolve a debt. And you can imagine, they threatened consequences if they don't do so. As soon as the gift cards are purchased, the victims relay the codes that are on the back of those cards to activate them. And then the scammers go and buy merchandise with the cards that they sell for a profit.
So, they're using stolen money to purchase the goods that they then profit from. And you can see that fear, urgency, and intimidation are some of the big motivators that might encourage an older person to fall for this. James, can you see how that might happen?
James Tucciarone: Absolutely. I think the big thing here Wendy is like what we talk about all the time, these cybercriminals are trying to take advantage of our emotional states. So that fear, that urgency, that intimidation, their tried-and-true tactics to get victims to respond. Although, I will say that, personally for me, I don't know that I would ever believe somebody that was asking me to pay for one of my bills with a gift card. If the utility company called me up and said, "Hey, James, you need to pay last month's bill by going out and purchasing $100 in Walmart gift cards," I'd probably be like, "Really? When did you guys start doing that?"
Wendy Battles: Exactly. That's a big red flag, which probably makes sense for us because we typically know how we pay our bills, we pay them online. Generally, there's a way we do that through your checking account, etc. I can totally see how we would be like, "Yeah, no," that's totally not right. But I also can see the other side of this, James, and I can see how an older person who may be less sure about things. They might have been totally sure about this 10 years ago and been like, "Nope, that's not right." But how you might get a little confused or you feel pressured, or you might be thinking, "Oh, my gosh, this doesn't sound good, and they're going to do something terrible to me." I can see how someone could fall for this, who is already vulnerable, even though it doesn't sound that rational to me to think I'd be paying one of my bills via a gift card. So, I knew just what you mean.
James Tucciarone: And I think that fear plays a big part because, I mean, I'll be honest, if I received a message or communication from a government agency, and by that, I'm assuming, it's going to be somebody who's going to get me in trouble for something, I might be a little more likely to go along with whatever they tell me, because who knows what the other option might be.
Wendy Battles: And that intimidation is powerful. Now, in the article, it does say just what you said that a government agency will never ask you to pay for a debt via a gift card, so it's not something that is typically done, not a normal thing to expect and something that should raise a red flag for us. And again, this goes back to having these kinds of conversations with people that are vulnerable, perhaps parents or grandparents, older friends, who may not know what we know.
James Tucciarone: Absolutely.
Wendy Battles: They may not know these things. That's when I think we can serve in that role as a champion to other people.
James Tucciarone: Definitely. Wendy, I'll also mention that as we're having those conversations, we should also include cryptocurrency. It's another big scam, we see it a lot, where bad actors ask us to pay by cryptocurrency. We should also know that most government agencies and most businesses, at least today, are not going to ask us to pay for things by cryptocurrency, as the only option.
Wendy Battles: And that's something that's confusing to so many people, myself included just this whole idea of cryptocurrency. One day, James, we're going to have to do an episode on that, and the scams that have arisen from that. But you're right, it's something that would seem out of the ordinary if someone asks that.
James Tucciarone: Wendy, I will say that I think it's awesome that Walmart developed, and probably quickly developed, technology to identify and freeze those gift cards. Wendy, I also really, really appreciate this story, because it describes how the Department of Justice went on to seize the money through federal court action and then help victims to reclaim that money. We've talked about it in previous episodes and at great length off of this podcast, that it's so important to know that local and federal authorities can investigate and that we can report crimes to them. And it's really, really, great to see some people get their money back because that isn't always the case.
Wendy Battles: Yeah, in the article, they mentioned that this is really the exception to the rule as most people don't get their money back. But I was encouraged to see that at least it did happen to a small degree. The other thing that the article talked about was just how much money older people have lost. There are many different examples. One that really stands out is a scammer that kept one victim on the phone for 11 hours.
James Tucciarone: That’s insane.
Wendy Battles: 11 hours, James, that is totally insane, because first of all, like I could never make it 11 hours talking to anybody. And I like to talk but I mean [James laughs] that seems incredibly excessive. What's really alarming is that this person ended up purchasing more than $35,000 in gift cards.
James Tucciarone: Well, I'm sure the scammer said after 11 hours, "I want my payday."
Wendy Battles: I can't imagine what they would say that would be so compelling that would have people so scared and intimidated that they would give up $35,000 over 11 hours.
James Tucciarone: Really.
Wendy Battles: That's just really--
James Tucciarone: Mind-boggling.
Wendy Battles: It's mind-boggling, and honestly leaves me speechless. [James chuckles] I know that for now many of us listening, you might be thinking, "I would never fall for something like that. How could someone do that?" Which is good to hear that there are many of us that are probably thinking just like we were saying, "If someone asked me to pay for the electric bill with a gift card, I'd know something was wrong. But the question really gets back to those other people in our lives that may not be as savvy as you are who's listening right now. And how we can help others along because they sometimes don't know what they don't know.
James Tucciarone: Absolutely. Wendy, that's why I'm so excited for the stories that we share today because they really focus on cybersecurity champions. And I think it's so great that people or companies are taking action.
Wendy Battles: Absolutely, that is encouraging. In the midst of a lot of bad news about the volume of scams, it is encouraging to know that there is a little bright light. There are some things that are working well. We just need more of that, James; we need more of that.
James Tucciarone: Here's the buzz on spoofing as it relates to cybersecurity. Generally speaking, spoofing is when cyber criminals masquerade as a known or trusted source. Common spoofing techniques include disguising email addresses, website URLs, and phone numbers, just to name a few. Different techniques are used for different types of attacks, and sometimes techniques will even be used together. For instance, scammers might use a spoofed email to send us a link to a spoofed website. Whatever the method, the goal is to make the attacker appear more trustworthy. To get started, let's review the techniques we just mentioned. One of the most common is email spoofing. Bad actors might forge the name that appears in the "from" field, or use an address that looks similar to one that's official.
Website spoofing, also called URL or domain spoofing is when cybercriminals create a fake website that looks just like the real one. They even use URLs that contain common misspellings to take advantage of mistaken keystrokes. And phone spoofing, usually called caller ID spoofing, is when scammers trick your caller ID to make it appear as though the call is coming from somewhere or someone that it isn't. They often make the number appear local, or as if it's coming from a real company. Knowing all the surprises attackers have in their toolkits helps us to better protect against them.
Here's a few tips to outsmart online spoofers. Always review and verify the sender's address when you receive unexpected emails. Check the URL when visiting a website to make sure you're where you expect to be. Finally, don't answer calls from unknown numbers. Once scammer knows they can reach us, they'll just keep trying different approaches and hopes one will slip through. As always, keep listening to the Bee Cyber Fit Podcast, where we provide you with a toolkit to help defend against the bad actors.
Wendy Battles: Based on today's episode, we want to hear your story. Tell us about how you've been a cybersecurity champion. Tell us about one way that you've encouraged others, made them more aware, or built up your own cybersecurity awareness and championed this cause. There's a link in the show notes to share your story, and we'd love to feature you on an upcoming episode of the podcast.
Alternatively, I'll mention that we love reviews. If you love the Bee Cyber Fit Podcast, we encourage you to leave a review for us in your favorite listening app. And at the same time, share a little bit of your story. So, one of two ways to share your story and we look forward to the possibility of featuring you in a future episode of the podcast.
James Tucciarone: Hopefully, we'll hear from you soon. But for today, that's all the time we have. So, until next time, as always, I'm here with Wendy Battles, and I'm James Tucciarone. We'd like to thank everyone who helps make this podcast possible. And we'd like to thank Yale University where it's produced and recorded.
Wendy Battles: Thank you all so much for listening. We really appreciate it. And remember, it only takes simple steps to Bee Cyber Fit.
[Transcript provided by SpeechDocs Podcast Transcription]