Making Sense of your Cents
Feeling overwhelmed by your finances? Wish you could get clear, simple advice from a trusted source? Welcome to "Making Sense of your Cents," the weekly podcast from First Century Bank that gives you actionable financial tips.
Join hosts Daniel Hill and Shanna Browning as they cut through the confusing jargon to help you build financial confidence. Whether you're looking to understand your credit score, create a budget that actually works, spot the difference between APY and APR, or protect yourself from scams, we're here to help.
Our mission is to empower our community with friendly, practical money knowledge. Subscribe now and start making sense of your cents, one simple tip at a time.
Making Sense of your Cents
10 - Spotting a Phish: How to Avoid Common Scams
Fake emails, suspicious texts, and urgent calls—scammers are working overtime to trick you. In this episode, cybersecurity expert Ben Lawson, GM of Burk IT, joins the conversation to teach you how to spot the red flags of a phishing attack. You'll learn the psychological tricks of urgency and authority that fraudsters use to manipulate you, how to inspect a sender's email address, and hover over links to reveal the truth.
If you’ve enjoyed listening to Making Sense of your Cents and you’ve found our tips helpful for your financial journey, I want to ask you a quick favor. Please take a moment right now to hit that Subscribe or Follow button on your favorite podcast app. It’s the best way to make sure you never miss an episode, and it helps other people in our community find the show.
Subscribe today, wherever you listen to your podcasts (Spotify, Apple Podcast, etc.) and send your questions to podcast@fcbtn.com.
Episode 10 | Spotting a Phish: How to Avoid Common Scams
00:00:00 Daniel Hill: Shanna, with Christmas just a couple days away, I got a text message that's so common this time of year. It had a big shipping company's logo on it and said, we're unable to deliver your Christmas package. Please click here to update your address and schedule a new delivery.
00:00:16 Shanna Browning: Oh, it happens more and more, doesn't it? Especially tricky during the holidays when everyone's looking for their packages and their gifts, and I'm sure it seemed legitimate at first.
00:00:25 Daniel Hill: It did for a split second, but then I paused. I wasn't actually expecting a delivery that day, and I noticed the link was weird. Jumbled set of letters and numbers, not the company's real website. And there was that sense of urgency. Do this now or you won't get your Christmas gift.
00:00:42 Shanna Browning: And then what do you do?
00:00:44 Daniel Hill: I deleted it immediately. It was a phishing scam, plain and simple. Designed to take advantage of the holiday chaos. They were trying to get me to click that link and enter my personal information on a fake website.
00:00:57 Shanna Browning: And those messages seem to come more and more these days, bombarding us through text, email, even social media. Learning how to spot them is no longer just a good idea, it is an absolute essential life skill and especially during this holiday season.
00:01:22 Daniel Hill: Welcome to our Christmas episode of Making Sense of Your Cents. I'm Daniel Hill.
00:01:27 Shanna Browning: And I'm Shanna Browning. And last week we talked about what the importance of digital security is. But today we're going to really take a deep dive into the single biggest threat to that security - phishing.
00:01:40 Daniel Hill: And to help us understand how these scams work and how to protect ourselves, we are thrilled to welcome an expert in the field. Ben Lawson is the general manager of Burk IT. For over twenty five years, his team has been dedicated to building trust relationships with their clients by providing practical and secure IT results. Ben, thanks for joining us.
00:02:02 Ben Lawson: Oh, thank you both for having me. I'm thrilled to be here. And, you know, phishing is is a very important topic, uh, for all of us. It's something that we deal with here at Burk IT, with our clients each and every day. Honestly, I think it's something all of us deal with each and every day. And it really has become the primary way that criminals get their foot in the door, uh, both in our personal lives and in businesses. If you look at some of the most recent stats, I think more than the number is higher than ninety percent of all cyber attacks have some form of of phishing as the initial attack vector.
00:02:32 Shanna Browning: And that's crazy to us, right? So that's our goal today when we talk phishing, we're not talking like fishing - like standing on a dock fishing. It's a different kind of phishing. But we're going to break down what that phishing is. And it's the psychological piece that scammers use to trick us. But we want to talk about the red flags so you can look for a spot to see a fake message before you even click that link.
00:02:56 Daniel Hill: Exactly. And Ben, let's start with a clear definition. We hear the term phishing all the time. What is it and why is it called that?
00:03:05 Ben Lawson: Well, phishing. And be very clear. We're not starting with an F, we're starting with a Ph. But it it is, it is that digital bait. It is that mechanism that a scammer uses. They send this out trying to hook you in, uh, to, to give some type of sensitive information up. They're pretending to be somebody trustworthy, somebody you know, somebody you would relate to, and they're trying to get you to give up credentials. They're trying to get you to give up, um, you know, verification of your identity, uh, access to your system. They're trying to to pull you in with this bait, and we're seeing it across the board. It's it's no longer just emails phishing with a ph, uh, started with emails, but we now see it with, uh, voicemail messages and phone calls, which we call vishing with a V. Uh, we see it with text messages, um, and we call that smishing with an SM so for SMS texting, uh, and we're seeing it in social media. We're seeing it across all of the ways we communicate it, uh, with with each other as a way to pull us into this trap.
00:04:04 Shanna Browning: So what's the goal? What? What are they after?
00:04:06 Ben Lawson: Well, really, they have a they have a couple of, of main goals. One is to get you to interact. They want you to click on usually some type of embedded link or some type of embedded attachment. Uh, it's going to be something that looks very real. It's probably pointed, uh, to a website that you would trust, but that website is really fake. Uh, and when they get you, they're, they're trying to collect a username, a password, a phone number or, or some other type of, of information.
00:04:33 Daniel Hill: And they often will make it look so legitimate, like you, you look like you're logging in on your bank's website, but it's not, um, what's their second goal, Ben?
00:04:47 Ben Lawson: Well, the the second goal is usually twofold. One, sometimes they'll embed an attachment. They want you to interact with a document, or a PDF or a word document or something you would trust. And that usually has some type of malicious payloads. They're trying to infect your computer. And when they infect it, they're either going to use that as a resource for some type of botnet attack or some other type of malicious online activity, or they're going to, uh, gather keystrokes. They're going to watch your behavior on the computer and gather information at the, at the keyboard and mouse level. And then the other piece is a lot of these phishing attacks have become a precursor to a longer, more involved attack, what we call business email compromise or personal email compromise, where they're trying to just simply interact with you and build trust. And they want to build trust and relationships so that at some point along the line through one of these malicious, uh, takeover mechanisms or just simply to redirect you, they're going to steal some information, point you to a different site, steal a money transfer, do something else. Uh, rather nefarious.
00:05:52 Shanna Browning: You know, and just sitting here listening to you talk about this Ben, it's just really, really, really frustrating for for us as a financial institution for what they do to our clients. But also, you know, as employees, we've all been hit. Um, I think from the same way I know at least I have been that it it just preys upon the trust in what you're trusting your bank to be. Right. And what's a familiar brand?
00:06:16 Ben Lawson: Oh no question. I mean, they they really are leveraging all the tools available, uh, to them today in a modern world, it's very easy to, you know, harvest logos and reformat language and reformat email layouts. I mean, they really have become, you know, masters of disguise. They can pretend to be anybody they want to. And that's only been exacerbated by artificial intelligence and the ease of manipulating content and and duplicating individual behaviors and language and language patterns. So, you know, it's not just that they're spoofing an email address, which they do very effectively, but they're spoofing us. They're spoofing us, and in every way you can imagine. You know our cadence. You know our our way of speech. Uh, even with some of the voicemails, they can emulate, you know, accent and, you know, colloquial terms. They can they can do whatever it takes to to become us.
00:07:06 Daniel Hill: Wow.
00:07:07 Shanna Browning: My goodness.
00:07:08 Daniel Hill: That's just crazy. So Ben is as a security professional, I know these attacks aren't just technical. There's a lot more to it. There's psychological. Scammers have become experts at manipulating human emotion. What are some of the key tactics that they use to get us to, you know, let our guard down?
00:07:30 Ben Lawson: Well, I mean, that's that's a great question. And you really nailed it. This is not simply a technical battle. It's not a matter of, okay, we just need a better filter or we need a better technical control, or we need a better firewall. You know, when we talk about phishing and and social engineering at this level, it really comes down to training each other and having this conversation and being aware of the threats, because it's it's a human factor attack they're picking on us. I mean, one of their one of their key mechanisms, as we've talked about all these psychological factors, is they want to prey on a sense of urgency. They want you to think that something's going to happen right now, and it's either going to be really good or it's really bad. Hey, you've got an opportunity to to win some money or hey, there's there's a chance you're going to lose your account or you're going to lose access to, you know, your, your Apple account and use your phone or your Samsung or Google account and not have the ability to do what you need to do with your phone or your email or, you know, it's a final warning or something's going to be suspended. They really want you to be caught off guard and become very reactive and not proactive in how you approach that message.
00:08:36 Shanna Browning: So basically, it's just designed to go past your logical, rational side of your brain. You're just worried because your account is being closed. So immediately we've got to take that action right. Just click the stop without without stopping to think about it.
00:08:53 Ben Lawson: Exactly. I mean, it really is that. Let's force you into that reactive mode. Let's let's take the the slow down and think about it out of the equation. Um, and it and and that's, that's how we that's how we fall prey. That's how we slide into that. I mean, and then they go on to those, those second and third and fourth triggers. They really want to create some sense of trust or some sense of authority over you. That's why they'll start spoofing things like, you know, the Internal Revenue Service or we're seeing a lot of attacks where, um, cyber criminals are pretending to be, um, law enforcement agencies. So, uh, local sheriff's departments and police departments and, and the FBI and others, or a company that you trust, an organization that you do a lot of business with. So they're going to spoof, you know, Netflix or Amazon or Google or Microsoft or or someone that you know and you believe is legitimate. And because they have those tools to Ready to replicate websites and logos and and and page layouts. It's very easy for you to be familiar with that and and fall right into that trap.
00:09:55 Daniel Hill: It's just it just blows my mind at how good these people get. You know, not only do they go for the sense of urgency or, you know, appealing to our trust, they also go on to a deeper level. Some of them use appeals to our emotion, um, fear, excitement, even, you know, even romance.
00:10:19 Shanna Browning: Yeah. Oh, yeah.
00:10:21 Ben Lawson: Oh, yeah. No, the romance attacks. There's a whole. This is going to sound a little weird, but the the name of the attack is called pig butchering. Uh, and it's been a it's been an attack. That's that's been in the, in play in the world for the last several years. And, and it's cyber criminals who start with those social engineering attacks. They, they prey on lonely individuals. They prey on individuals that may have just lost a loved one. They try and build some type of relationship, maybe even a romantic relationship, and that may start on a legitimate platform. Then they move you off to text messaging, or they move you off to another social media mechanism. And then it is, oh, by the way, I've got this great investment opportunity and I need you to go buy some Bitcoin. And then then it just goes very goes downhill very, very quickly. Because you're not only lonely, you want to interact with another human, but they're going to prey on that emotion of, hey, I can make more money. Hey, I can retire sooner. Hey, I can, I can access these funds, and then then you're downhill.
00:11:17 Shanna Browning: So what I'm hearing you say through all this conversation is just that they're hitting that person, the emotions of that person, the brain rationale of that person. So it's it's the person they're hitting, not the computer.
00:11:31 Daniel Hill: Wow.
00:11:32 Ben Lawson: No, you're exactly right. I mean, I tell this to all of my clients, everyone that I interact with, even I do a lot of of just general public awareness training. At the end of the day, we are the weakest link. I mean, humans are always going to be the weakest link because we have access to all the tools. We can bypass the controls, we can make the decisions we we're at the keyboard and mouse, or we're interacting with the the microphone and the camera. So we're the easiest target. We can't simply just put a lot of great cybersecurity controls on the system and assume we're going to be safe. Those are important, but those are just layers. At the end of the day, if they can bypass one of the layers and that's us, that's the human, then they have a foot in the door and bad things can happen.
00:12:13 Daniel Hill: Yeah. Wow. Wow.
00:12:16 Daniel Hill: So we've talked about what phishing is. You know, it's very psychological. It's very emotional. Um, but let's talk about the practical side a little bit. Ben, what are some of the specific red flags that people should be looking for? And let's, let's bring it back to kind of the the origin of emails or text messages. They get this text message. What are they looking for?
00:12:42 Ben Lawson: Well, first and foremost, you want to be thinking about as you receive messages, as you look through your inbox, as you get those text messages, you is this expected? Is it someone that I know? Uh, is there an unusual sense of urgency? Is am I being pressured to make a decision? So it's may or may not be somebody I know. Lots of times they're pretending to be someone you know. So that's not always an immediate telltale, but does the timing seem strange? Am I being pressured to do something very, very quickly that otherwise wouldn't make sense? Are they trying to take away the opportunity for me to validate legitimacy by saying it has to happen right now? We've got to make this change right now. We need this money right now. We need you to validate your credentials right now, or something bad is going to happen, or something good is going to happen. But taking away the ability to slow down and think is really that first, you know, telltale sign that something may be a little off.
00:13:40 Shanna Browning: So as you said, urgency and pressure are obviously going to be the first one. So let's keep rolling. What's into that second one? What's the next thing we look for?
00:13:48 Ben Lawson: Well, the second thing you want to look for are some of the more practical things that that hopefully we've all been talking about for a long time. And, and that is does this email address look legitimate? Is the phone number legitimate? So if I get a text message and says, you know, hey, this is Daniel, I need you to help me with this real quick. Is that really coming from the contact I have in my phone? That is that is Daniel does the email, does the phone number look correct? Does the email address look correct? You know, they're very - cybercriminals are very good at looking at a brand, a logo of a domain name or you know, that that URL that, that address that's in the address bar and say, if I just change a couple of characters or if I take, you know, you know, I'm sitting here looking at the first century logo, if I take away, you know, f I r s t and make that the number one and s t, will, that quickly trick someone's brain into thinking this is legitimate, so it's good to just slow down and look and say, is this what I have always expected? And hopefully, you know, we've got tools in place. You're looking to see, you know, if this is a message that's coming from inside my organization or appears to come from someone inside my organization, but that little banner is up there that says, hey, this came from outside your organization. It's something a little off. And we have those controls with with our personal lives as well. So we can look at, you know, at Google or Outlook or whatever email mechanism we use and say, hey, is that banner up there? It says, this looks a little fishy? Something seems off from your previous communications? You know, take time to stop and think and hey, is this legit? Or did someone I know actually have to change their email address? Or is this is this a phish? Is this nefarious?
00:15:23 Daniel Hill: Mhm.
00:15:24 Daniel Hill: Sometimes it pays to pause.
00:15:27 Shanna Browning: Yeah. Slow down.
00:15:28 Daniel Hill: Just slow down for a minute. You know. And that that kind of brings us to the links themselves doesn't it Ben.
00:15:33 Ben Lawson: Oh it does I mean we, we have had a campaign here for many years at at Burk IT, we actually 3D print keychains for our our youth engagements and for our community engagements that say think before you click. And it's it's just a common sense thing we all can do in, in every part of our, our digital lives is look at that, that link, hover your mouse over it. Is it going where it says it's going? Does the URL make sense? You know, is this someone that would normally ask me to click on a link, or would they, would they interact with me in a different way? You know, we have a lot of ways to say today in this world, hey, why is this organization sending me an email when I have an app on my phone? You know, why are they trying to get me to click a link when normally I would do this through the app that I've downloaded or the website that I know and trust. So you really stopping before you click and thinking about why am I interacting this way? Does the address seem correct? If I hover over it, is it is it going where it says it's going? All of those common sense things that can hopefully take some of the ammunition away from the bad guys?
00:16:34 Shanna Browning: Well, that's certainly an interesting thing you say, because I know how Daniel and I interact. So if he ever sent me something very formal, I'm going to be like, that is not. That is not.
00:16:43 Daniel Hill: That is not Me. Not at all.
00:16:45 Shanna Browning: That is not Daniel. So I get I get what you're saying exactly right there. If you're interacting, you should know what that interaction is like. So let's roll into the next one. What's tell us about the content of what that message or email text message, anything like that. Tell me what that looks like.
00:17:02 Ben Lawson: Well, and Shanna, you just touched on it. It's you know, if you get content that seems very formal or very casual and that's not the way the person normally interacts with you. That's that's an immediate red flag. You know, if, if, if I get, you know, a twelve page email from one of the engineers here at the office. And normally I'm getting, you know, three words that are acronyms, then something's a little off. Um, you know, we used to say, look at it, you know, is is the title what we would expect. Is the is the English not accurate or does it seem like English from another part of the world. You know, AI has sort of taken that that factor away from us. And because the cyber criminals can just simply pretend to be someone from East Tennessee and emulate us very, very effectively. So really, you're going beyond the the syntax and the punctuation and the language, and you're saying, is this how I normally interact with that person? You know, I interact with the CEO of one of my bank clients differently than I interact with one of the, you know, engineers at one of my bank clients. So you have to really think, is this a normal conversation? Is this how we would normally communicate?
00:18:07 Shanna Browning: Well, and I think you said that really well, that AI is changing.
00:18:11 Daniel Hill: Yes.
00:18:12 Shanna Browning: Everything. Everything. So I think that's right.
00:18:15 Daniel Hill: So we've talked about the sense of urgency. Do it quickly. Um, where is it coming from? The links that are included, the content, and even more so the content is, is the the method of communication, how they're communicating. What would you consider? And let's bring it back to the financial side of things. What is one of the most important rules of all? When you're looking at correspondence from a bank, First Century Bank sends you an email. What what do you want to be aware of when you get that email?
00:18:54 Ben Lawson: Well, I mean, first and foremost, no legitimate organization, no legitimate company, no financial institution, certainly not First Century Bank is going to ever ask you to provide sensitive information over email or over text.
00:19:08 Daniel Hill: One hundred percent.
00:19:09 Shanna Browning: Yep.
00:19:09 Ben Lawson: You know, that's that's not going to happen. You know, organizations are mature enough they know the threats that their clients face that their customers face. So they're going to interact with you in an appropriate way. So think about who you're interacting with and what they're asking and realize that's never going to happen for a legitimate organization. You know, the the the police department's never going to contact you and say you need to pay a fine via credit card over the phone right now or we're going to arrest you. You know, that's that's not how these things work. So if it if it seems unusual, if it seems like a demand, if it seems urgent and they're pretending to be someone trustworthy and legitimate, like your financial institution, like a law enforcement agency, like a government entity, you know, like a well known online retailer. And they're asking for something that seems completely out of bounds. Stop, stop. Think. Go to your statement. Go to your bank statement and find that phone number and call and ask a question. Uh, you know, find a legitimate website that you type in that you know is safe and legitimate and verify the information that's being requested. Do not react to that sense of urgency.
00:20:17 Shanna Browning: Well, and I think sometimes, too, I'm going to jump in here real quick. But I think sometimes too, even most people forget that there's a phone number on the back of that debit card.
00:20:26 Daniel Hill: Right?
00:20:26 Shanna Browning: Call that debit card. You know, that's going to link you to us real quick from a banking perspective that will will help answer the questions if you feel scared about that. But I think people just forget there's a phone number on the back of that card.
00:20:38 Daniel Hill: Well, and to that point to that kind of goes against the culture that we've kind of created is, hey, you can do this online or you can do this through email or, you know, sometimes, like Ben said, it's okay to pick up the phone and call. There's nothing nothing wrong with that.
00:20:56 Daniel Hill: Yeah.
00:20:57 Ben Lawson: Oh yeah. And that is that is a generational barrier that I think we all fight. So, you know, there's an entire generation of individuals that have grown up with, with smart devices in their pocket and know that they can text and they can email and they can go to an app, or they can go to a browser and, and have really lost that skill of, hey, I can talk to a human and find out some very valuable information.
00:21:17 Daniel Hill: Yeah, we've great point.
00:21:19 Daniel Hill: We use our phone for everything but a phone.
00:21:24 Daniel Hill: So...
00:21:25 Shanna Browning: That's a true story!
00:21:27 Daniel Hill: Ben, this has been incredibly helpful. Um, thank you so much. Now it's time to get into this week's actionable tip.
00:21:39 Shanna Browning: All right. So in listening to to Ben talk and got us a little bit. So the action item this week for you all to look at is to adopt the stop look and verify habit. Again stop look and verify. So the next time you receive an unexpected email or a text asking you to do something, we want you to consciously practice this three step process. Stop, look, and verify.
00:22:06 Daniel Hill: So the first thing you're going to do in that is you're going to stop. Don't immediately click or reply. Fight that sense of urgency the scammers trying to create. Just take a deep breath and pause.
00:22:18 Shanna Browning: Count to ten. If you have to count to ten, work it out. Stop. Next one. Look. What are those red flags? Look for those red flags we just talked about and that Ben covered. Check the sender's address. Look at that email. Hover over the links. Read the message carefully. Is it generic? Is it formal? How do you interact with that person? Are there spelling mistakes? And trust your gut? Trust your gut. Does it feel off? And if it does, again, trust your gut.
00:22:50 Daniel Hill: And thirdly, probably the most important verify. If you're still not sure if the message is real, verify it through a separate trusted channel. Don't reply to the email or call the phone number in the message. Instead, open a new web browser. Go directly to the company's official website, or call the official customer service number you have. Like Shanna mentioned, it's on the back of your debit card or your credit card. Ask them if they sent you that message.
00:23:19 Shanna Browning: I think that's important is having that conversation. So if we look at practicing this stop, look and verify habit for just a few times will help build a powerful mental muscle that can protect you from the vast majority of phishing scams.
00:23:34 Daniel Hill: That's exactly right. Ben. Thank you so much for joining us and for sharing your invaluable experience.
00:23:40 Shanna Browning: Yeah, Ben, this is great information for for us as employees to know.
00:23:45 Ben Lawson: Thank you both. I'm thrilled to be here. I'm very grateful for the opportunity. And, you know, it is important for us to know that not only are we the biggest risk, but we can also be the the most important tool in keeping an organization, keeping ourselves secure. So, you know, use those those tools that you've you've learned today. And I think you'll you'll be a lot better off. It's it's always good to have this conversation.
00:24:05 Shanna Browning: Yeah. It's great information. Great information. I think sometimes people just are afraid to ask or just I'll just do it now and then we'll work it out and it's a lot easier to pause, like Daniel said, a lot easier to pause than it is to have to try to fix something that's just going sideways. So as we roll into the next one next week, we're going to talk about the other ways to protect your identity from threats like elder fraud, which is becoming bigger and bigger and bigger, and then synthetic ID theft.
00:24:33 Daniel Hill: From our First Century Bank family to yours. We want to wish everyone a safe and very Merry Christmas. We hope it's a wonderful time with your loved ones. Please stay vigilant with all your online shopping and your communications.
00:24:45 Shanna Browning: We sure do. We wish you a merry, Merry Christmas and thank you for making us a part of your holiday week. Wherever you listen, please subscribe and send us your questions at podcast@ fcbtn.com. And I'm Shanna Browning.
00:25:00 Daniel Hill: And I'm Daniel Hill. Go out and make some sense of your cents.
