Recognizing and Avoiding Cyber Scams During Major Events & Crises Artwork

Bee Cyber Fit: Simplifying Cybersecurity for Everyone

Confused about the latest cybercrime in the news? Overwhelmed by trying to figure out if an incident applies to you? Want to learn simple, actionable steps to keep you and your family safe online? Introducing Bee Cyber Fit, a podcast for the Yale University community and beyond. We’ll cut through the cyber mumbo jumbo and make cybersecurity awareness easy to digest. Every two weeks we’ll share compelling cyber stories, make sense of buzzwords and share a simple call to action. Scammers are ever more sophisticated in the ways they try to trick us. And we’re all potential victims. Let us help keep you safe with a podcast about cybersecurity for everyone! Because it only takes simple steps to be cyber fit.

All Episodes

Bee Cyber Fit: Simplifying Cybersecurity for Everyone

Recognizing and Avoiding Cyber Scams During Major Events & Crises

August 27, 2024 • Wendy Battles/James Tucciarone • Season 3 • Episode 10

Can you spot a scammer exploiting a natural disaster or a global event?

On this episode of the Bee Cyber Fit podcast, we're arming you with the knowledge to protect your digital life. We delve into the growing trend of cybercriminals using current events to deceive unsuspecting victims:

From the intricacies of pretexting to the frighteningly realistic phishing emails generated by AI, we uncover the latest tactics used by bad actors. Listen as we dissect recent scams, including those that emerged in the wake of hurricanes and the CrowdStrike outage, and offer crucial tips to help you recognize and safeguard against these threats.
Excited about the Paris Olympics? So are the scammers. We dissect the myriad ways cybercriminals have preyed on the enthusiasm and emotions of fans to outsmart them out of their money.
Learn to identify phishing schemes, fake news, and impersonation tactics designed to exploit your excitement and fears. With a focus on building cyber self-awareness, we'll share actionable advice to help you stay vigilant and secure.

This episode is your essential guide to navigating the digital landscape with confidence and outsmarting cybercriminals at every turn. Don't miss out on this must-listen episode packed with insights to keep you cyber-safe!

Calls to Action:

1. Be the first to know about our upcoming cybersecurity awareness training, Bee Cyber Fit at Yale: The Essentials of Working Securely launches in October. Sign up to receive alerts.

2. Review our Click with Caution and Protect Your Identity webpages for up-to-date information to be cyber-safe.

3. Subscribe to the Bee Cyber Fit podcast on Apple Podcasts or Spotify so you never miss an episode.

Send us a text

Learn more about Yale Cybersecurity Awareness at cybersecurity.yale.edu/awareness

Never miss an episode! Sign up to receive Bee Cyber Fit podcast alerts.

[music]

Wendy Battles: Welcome to the Bee Cyber Fit podcast, where we're simplifying cybersecurity for everyone, where we cut through confusing cyber speak and make cybersecurity simple and easy to digest. I'm one of your hosts, Wendy Battles.

James Tucciarone: And I'm James Tucciarone, together we're part of Yale University's Information Security, Policy and Awareness Team. Our department works behind the scenes to support Yale's mission of teaching, learning, and scholarly research.

Wendy Battles: Ready to get cyber fit with us? Hey, everyone. Welcome to another episode of the Bee Cyber Fit podcast. We're excited you're here and hope you're ready to get cyber fit with us. If you're a new listener, welcome aboard. This is the place to come for information and inspiration to stay safe online and outsmart cybercriminals. This podcast is one of the many tools in our toolkit that we use at Yale University to help our faculty, staff, and students build their cyber muscles.

James Tucciarone: In today's episode, we're talking all about how cybercriminals exploit current events to trick us into giving our personal information and our money. We're going to provide some examples, discuss some of the tricks that bad actors use, and also provide some tips that we can use ourselves to stay safe.

Wendy Battles: James, if I had to give this episode a theme, I would call it cyber self-awareness amid many current events. Cyber self-awareness is all about staying informed to protect our personal information and clearly not fall prey to all of the things that can happen. So, we can't wait to share more details about this as we all work to empower ourselves and build our cyber safety. But before we get into all those details, let's hear our buzzword teaser about pretexting.

[music]

James Tucciarone: What would you do if you received a random phone call from someone asking for your financial support or an unexpected email from your boss asking you to buy gift cards for a special activity? Both of these scenarios are commonly used in pretexting scams. Stay tuned to find out more about what pretexting is, what we need to know, and the steps we can take to stay safe.

Wendy Battles: James now more than ever, we are seeing record numbers of phishing attacks, especially as current events happen. We know that there are all kinds of things in the news that happen, and cybercriminals very quickly now take advantage of it. So, before we get into talking more about that, talking about some recent examples, I wanted to share with the audience, why the why? Why is there such a proliferation of phishing attacks? And there are so many different reasons, but there are two I want to key on today. The first is AI. So, many of us know about artificial intelligence. We know that artificial intelligence is often being used against us. One of those forms is called generative AI.

Generative AI is when we go to something like ChatGPT or one of the other bots that you can use, and you put in a detailed prompt about what you want. So, cybercriminals can put in detailed prompts related to current events. This disaster just happened. Write an email telling people that they can do x, y, and z, but basically all to steal our money or information to get at our personal data. So, that's one of the things that's happening and because AI is so sophisticated, because those things can be generated in just literally a few seconds, they can so quickly take advantage of these current events, and if something bad happens they're immediately on it. So that's, number one, the power of generative AI.

The other thing is, if you could imagine that maybe it's not me, this solo cybercriminal, but I'm part of this criminal organization, and I go to a company where that's all they do is craft these phishing emails or things to deceive us. So, you can do it on your own, or you can do it in this more agile way where very quickly lots of people can help you plan this out and orchestrate in really short order. So, those are just two of the things that we're seeing that are increasing the proliferation of these phishing attacks that seem to show up immediately after we see these current events in the news.

James Tucciarone: Those are two great points, Wendy, and you're absolutely right. Phishing is agile, and cybercriminals are too. They want to take advantage of these current events. So, I'm going to jump a little bit into the why. So, we often see phishing scams related to charities and also following natural disasters. So, in the US, we've had a couple of recent hurricanes, and one of the scams that we've seen is related to hotels in Texas, where people were scammed into booking hotel rooms when they needed a place to stay after having damage to their homes. And also related to natural disasters. We often see scams related to reconstruction, to FEMA and other emergency services, and also just other general support services. One of the other examples that a lot of us may be familiar with is related to a recent CrowdStrike outage that happened in July.

And this was where many people's computers went down because of an update that CrowdStrike had put out. And following this incident, there were phishing attacks offering people support and assistance where a fix for this problem was freely available. These phishing attacks were actually charging people for their assistance and for this fix. And this is a really great example of how bad actors can take advantage of something that just happened and be agile to make changes to their attacks and try to get at us in a timely way. Many of us have probably also been keeping up with this year's Olympics.

Wendy Battles: Mm. Can I just say that I love this year's Olympics James? I was one of those people avidly watching it, not able to go to it since it was in Paris, but my gosh, it was awesome.

James Tucciarone: Well, Wendy, I know that you were not one of the people. Fortunately, that fell victim to a scam related to the Olympics. We saw a couple of things happening here. One was phishing attacks claiming that people won free tickets. However, they had to pay a small fee to actually get those tickets.

Wendy Battles: Always an angle.

James Tucciarone: Always. Another scam that we saw, which is also pretty common in general, was fake websites where people could buy tickets, but they never actually got those tickets. So, in both cases, people paid for something that they never got.

Wendy Battles: Yeah, James, those are really great examples of recent occurrences in the news, as you said, that they are leveraging these cybercriminals against us. And one of the things that we see happen is that cybercriminals are capitalizing on our emotions. It could be fear. It could be urgency. So, your house is damaged or you lose power and you need to go somewhere else. So, you're more likely in a situation where you're under stress to perhaps not think things through carefully. And something that under normal circumstances, you might say that just seems too good to be true. You may not, in a situation like that, where perhaps you're feeling desperate or afraid, unsure, not clear how things are going to unfold. So that's how they often get us, by capitalizing on those emotions. Even the Olympics, “Oh, my gosh, I want something free.”

It speaks to this idea that, sometimes greed gets in the way. Like, “That is so cool. I won these free tickets” we don't always think in a common sense way about, “Could this be real? Is this something that I should be pursuing? Does that seem realistic, to think that something I never entered, they're telling me I won free tickets.” We'll talk about in a little bit some things that we can do. I just wanted to reinforce what you're saying, that they prey on us in these different ways that can have both an emotional and obviously a financial toll when we fall for these things. So, that's what we want to try to avoid.

You so succinctly talked about some of the recent scams that have gone on, and I want to dig into that a little bit and deconstruct some of the tactics that they use. So hopefully, since we said this is about cyber self-awareness, we want to heighten your awareness so that you can ideally avoid these things. The next time something big is in the news, it might help you stop and think, “Mm, this seems so odd.” So, there are three tactics I want to talk about in our episode today. The first one is phishing. So, we talk about phishing all the time. It's fake communications that are designed to lure you, often using emotion to act in a way that's ultimately not usually in your best interest. People trying to steal your money or get some information from you.

And there are tons of examples of this. But of course, any urgent emails, we're already alluding to that. Emails asking for account details or instructing you to click on this link to take advantage of this offer that you might see during some current event or to donate to this charity during the latest relief efforts. So, that's one. So, phishing emails also, of course, I'll mention to you in the form of text, it's not limited to just emails, it could be phone calls too. But emails certainly are the most prevalent, probably followed by texts. And then, of course, there can be what we call phishing. These phone calls try to trick us too. Tactic number two that's used is fake news and misinformation. Fake news and misinformation, we can find examples of that on websites.

Cybercriminals can create fake news articles. They can use social media posts that are completely false to lure victims. So, the example of a fundraiser for some kind of hurricane relief, for example, could be a post on social media that gets you to donate to something that's not real. So that's just an example of that. So, it's just important to beware of false information that surrounds major events like CrowdStrike and be wary of. If I click on this link, is it taking me to a malicious website? Are there ways that they can gather my information? Or am I putting my credit card number into something where they're going to steal that information? Now they have my credit card number, my name, and my address. And then they can go on and use that on many other places. That's the second thing.

And third, impersonation. Cybercriminals can impersonate people that we trust. These days, they can get so much information from LinkedIn, from things we put in social media, places we show up, and how we talk about that. They can use that information against us. They can act like they're boss, a boss' boss, a family member, and trick us into providing our personal information, sensitive information, whether it's a credit card or it's a crypto payment, you name it. It could be something, James, like, “Oh, my gosh, so and so was hurt in the recent hurricane. They really need your help.” I mean, there are so many different ways that we can spin this where they can take advantage of us.

And of course, as we know, we haven't talked about it so much in this episode, but we have before deepfakes, how now they can find people's voices online and they can replicate those voices that sound very authentic and make it sound like that person is actually calling and saying, “I'm in distress, I need help. I need you to send money.” Couple that with a natural disaster, and you can see where this could go and how people could really fall for it. And one last example, think of it from the Yale perspective. Something happens, it's CrowdStrike, and you get an email that looks like it's coming from the ITS Help Desk, asking you to log in on a page that looks like the CAS page, our central authentication service page, where we log into many applications at the university.

Just an example of how we can end up with compromised accounts. We put our net ID and password into this page that we think is real when it's not. And they steal our credentials. So, there are so many different ways that they can grab our information that is not at all helpful and often very detrimental.

James Tucciarone: That's very true. And I'll throw in a couple of others as well, Wendy, which would be somebody impersonating a government official, offering support, offering emergency services, or even a booking agent, say, “When we need to get a hotel, when our home has been damaged.” And that's why it's so important that we know what we can do to avoid these types of scams. And here at Yale, we like to use our recognize, relax, rethink model. And this fits perfectly in terms of these types of scams. So, to recognize, we can stay informed about current events and also know the folks that we can lean on for support. When we relax, that basically means being skeptical of unsolicited communications, especially those requesting our personal information. And rethink is basically verifying our sources independently and making sure that we're talking to who we think we are.

Wendy Battles: I like that, James. It's a simple way for us to think about this. Recognize, relax, rethink. And to your point about recognizing, we're trying to stay informed. And often you mentioned leaning on people who can lend support. So not feeling like we have to be in this alone. When we recognize something doesn't feel right and sometimes it's just a feeling, sometimes you get that gut feeling. You can't quite put your finger on it, but something just feels not right, that recognition. I like how you coupled that with support. “Okay, who are people I could lean on that could help figure this out.” So, thank you, James, for those tips. Things we can do to be more self-aware, remember cyber self-awareness is the theme of this episode. And with that, let's learn more about our buzzword of the day, pretexting.

[music]

James Tucciarone: Here is the buzz on the social engineering tactic known as pretexting. Imagine you receive a frantic call from someone claiming to be one of your relatives or friends caught in a foreign country and desperately needing money. The voice sounds familiar and the story is heart-wrenching. Before you know it, you are transferring funds. This is just one example of pretexting in action. Ultimately, pretexting is when cyber criminals fabricate a convincing story or pretext to gain a victim’s trust. These bad actors might pose as a bank representative, a tech support specialist, or even a long-lost relative. The goal is to gain our trust and exploit it for their benefit. They may try to trick or manipulate us into sharing sensitive information, sending money or gift cards, or downloading malware just as a few examples.

With pretexting, cybercriminals often research their victims using information available online, such as that through social media. This helps scammers to design a plot that builds rapport, gains our trust, and makes their story more believable. They’ll commonly impersonate someone with authority, like a boss or someone were inclined to trust, like our company’s help desk, our relatives or our friends. Using artificial intelligence, these bad actors can even create audio deepfakes to sound just like the person they claim to be. So, what can we do to protect ourselves from pretexting attacks? Here is a few key tips that can help keep us safe from cybercriminals and this type of social engineering. Be wary of unexpected requests for personal information. If you receive a call or email that seems suspicious, hang up or delete it immediately.

Then contact the company or person directly using a verified phone number or email address instead. Think carefully about the information you post to social media and be selective about those to whom you add to your social media circles. It's also good practice to regularly review your social media security settings to ensure your accounts are not widely accessible. Consider using our FUDGE model of common social engineering tactics, where FUDGE stands for fear, urgency, desire to please, greed, and emotion. Cybercriminals often use one or more of these triggers to trick us into acting against our better judgment. And keep listening to the Bee Cyber Fit podcast, where we help you to be aware, to be prepared, and to be cyber fit.

Wendy Battles: All right, James. This was a brief but action-packed episode, talking about current events and how cybercriminals leverage those and use them against us to extract money, information, and things that we don't want them to know and they try to get out of us. We talked about recent scams that have been in the news, like CrowdStrike. We talked about the tactics that they use to try to trick us, and then you just shared some tips. So, the thing about all of this that I think is really important is this idea that we need to build our critical thinking muscles. Because you just talked about the three Rs. That's the critical thinking part. There's the awareness part and critical thinking. I'm aware that something doesn't feel right or seem right. What can I do about it?

The critical thinking skills, so that we can be proactive and avoid situations where we get taken advantage of. So, to support all of this that you are learning today about building your cyber self-awareness muscles, we have three simple calls to action. If you are part of our Yale community, we're happy to say that in October, we are going to be debuting our first-ever cybersecurity awareness training. It's called Bee Cyber Fit at Yale: The Essentials to Working Securely. So, we have encapsulated some of the things we're talking about today and many other important points into this online self-paced training to build your awareness skills to really develop those cyber muscles so that we can be safe during our work at Yale. But it also applies to our home life as well. So that's number one. And what I want to encourage you to do is to sign up to be on our first-to-know list when the training launches. So, please sign up using the link that you'll find in the show notes.

Number two, we encourage you to review our click with caution and protect your identity web pages to steer clear of many of the things we talked about in our episode today. We have all kinds of tips and information to keep you safe online. And finally, if you love the Bee Cyber Fit podcast, we encourage you to officially subscribe to it in your favorite listening app. Whether it's Apple Podcasts or Spotify or another listening app that you love, then you can ensure you never miss an episode.

James Tucciarone: Well, Wendy, I'm glad that we had this chance to talk today and share some information about staying safe even when cybercriminals are trying to attack us with current events.

So, until next time, I'm here with Wendy battles and I'm James Tucciarone. We'd like to thank everyone who helps make this podcast possible and we'd also like to thank Yale University where this podcast is produced and recorded.

Wendy Battles: Thank you all so much for listening. We truly appreciate it. And remember, it only takes simple steps to be cyber fit.

[music]

[Transcript provided by SpeechDocs Podcast Transcription]