[00:00:05] Speaker A: Hello and welcome back to Cyber Matters. I'm your host, Russ Dorsey, a principal and CIO at Kasufin Company.
We've been speaking with our guest Darren Mott, a retired FBI agent and the host of the Cyber Guy podcast series. And in the prior segment we were talking about the FBI, his migration from the FBI into the private sector, and now the work he's doing with these podcasts and highlighting some of those. But we wanted to talk a little bit about personal protection and being cybersmart and I think that's a great the cybersmart series that he's tied in with this podcast. Actually just giving you practical tips. Again, enough reason to go find the series. But if we were to talk about some of the things that are threats to individuals of any age, really, in our homes. So Darren, let's switch to that.
But when you talk about the elderly and elder fraud, let me bring myself back up here. Saw my parents this weekend. Thankfully they're both still with us, both in their mid eighty s and both still very present in their mind about everything. I'm very fortunate, but I was talking to them and just about everything I started because again, I've been listening to yours and so I was getting over there and just kind of rattling some things, but mom was, oh yeah, they talked about that on the Today show yesterday. I hang up on those people or yeah, we don't have our debit card. We don't even use our debit card. It's not tied to our bank account.
We keep the money moved out of the main checking account anyway, those kinds of things.
But I was talking to him about the kidnapping.
[00:01:50] Speaker B: Yes, grandma, I've been kidnapped or whatever.
[00:01:53] Speaker A: You had something close happen to you with that, which just having that conversation with our parents to say, hey, look, if something's going on like that, call. Because our experience here has been it's that same thing with the elderly.
These are people that were very successful in life with slide rules. They're a lot smarter than we are in my mind, most of our parents.
[00:02:23] Speaker B: Yeah, absolutely.
[00:02:25] Speaker A: And it's such a matter of pride to them to remain independent and to remain savvy, if you will. They want to be independent, like so the bad guys play on that.
[00:02:39] Speaker B: So the incident you're talking about years ago, I was sitting at home with my kids and my wife and my mother calls me and she says, hey, I just got a call from Patrick and it said he's been arrested. It was an arrested one, not a kidnapped one was arrested and he needed a said, well, he's sitting right here next to me, so I'm pretty sure that's not him. Unfortunately, the only reason that that didn't work for the Scammers was because she knew to call me, because I'd certainly talked a lot about this kind of scamming stuff with them. But what ended up happening is they called and said Grandma. And so she said, Patrick, because she has, like, four, it doesn't matter if she just said Will or Dean or any of her other nephews. They would have said, yeah, is me. And same idea, I've been arrested, I don't have my wallet, a $1,000 wire transferred to me, whatever. That kind of thing. And so fortunately didn't happen. But now the problem now is, and there was a news report last week, and I'm guessing your mother probably saw it on the Today show where they're using AI to duplicate voices. So this lady got a call and it sounded like it was from her daughter that she had been kidnapped and they couldn't for whatever reason, she couldn't get in contact with the daughter. So thought it had happened. But all we're going to see is an evolution of these kinds of scams, especially with AI. I'm a fan of AI, I use Chat GPT, but with every technology, bad guys will figure out how to exploit it for nefarious reasons. We're already seeing that. The first thing we saw with Chat GPT was using it to create malware and do all that kind of stuff. Now with digital AI being able to replicate voices and do all that kind of stuff, but again, it has to do a lot of it is awareness and just making your elderly friends and family just be aware of these things. And something on my podcast, I say three things understand the threats, assess your risk, proceed wisely. If you don't understand the threats, the threat is going to hit you because you're not assessing your risk. So part of that understanding the threats is making people know what the bad things are that are out there. But I don't think enough people know it themselves to be able to tell enough people to do that. So I certainly try to do that in my life, but that's part of the reason I do the podcast. Hopefully somebody will listen to it and get a nugget of information and go tell, hey, I heard this guy talking about this. Be on the lookout for that. Because I've certainly had plenty of people, family members myself, who extended family members that are like mothers in law or whatever, have been scammed or attempted to be scammed. Unfortunately, the kids got into it quicker and were able to reverse a lot of the stop a lot of the stuff. But certainly it's like you said, this is an older generation. That's very prideful and it's very hard for them to admit when something bad happens. It's human nature, it hasn't to do with age. I'm sure if I became the victim of a cybercrime, I probably wouldn't go bragging about it, but I take that back. I probably would because it'd be good content for me to share. Actually, I shared that on LinkedIn. I got scammed by a resume thing online. I got my money back, but I still was victimized by I didn't do my due diligence. Could happen, anybody.
[00:05:48] Speaker A: When you talk about the AI and the voice, are they finding that the elderly victims, they're targeting them because there's social media activity that they contribute back? Or are they just doing robocalls knowing that at a certain time of the day they're more than likely to get an elderly person at home and then they get lucky on the name. But you talk about AI, they're duplicating the voices. So they have to be sampling the kid's voice or just getting how well.
[00:06:16] Speaker B: I think it's a little bit of both. So from a sampling, I mean, certainly you can find people's voices on TikTok. If the kids have TikTok, you can go to TikTok, get a sample, you're good to go. You only need a couple seconds and then tying it together to go. If that kid has information on their parents, you can probably find the parents Facebook, which will then have information on the grandparents and then it's not very hard to take those couple steps and get contact information for the grandparent. It could also be the information on the grandparent is easily accessible on any of the online data breach databases that probably include true name, true address. Because when you get to our elderly population, they've been at the same place for a while. Their phone number hasn't changed in a long time. My parents phone number at the house I grew up in is still the same as it was 57 years ago. So that number has not changed. So you're going to have those numbers that are part of data breach databases because pretty much at this point, everybody in the world has had some kind of data compromise through some kind of data breach.
If you have any kind of credit profile in the US.
Your stuff has been stolen through equifax data breach. So certainly that information is out there and easily accessible and then tying it could I'm sure there's AI programs that allow you to very easily tie those things together and create that intelligence platform to launch these attacks.
[00:07:41] Speaker A: Yeah. If you think about and I don't even remember the stat on it, but our elderly people that are 55 and above hold the large portion of the nation's retirement of savings because that's where they are in life. Sure.
When you get to that point, some of these people have net worth. These people, I'm going to be one soon, but I don't have the net worth. I mean, they've got more money than some small businesses do and it's just sitting in these retirement accounts and things. So it seems logical that, yeah, the bad guys are sitting there with algorithms and if they've got the social media information and they can start doing the reconnaissance, then find their way back, then it becomes, if you will, a target rich environment. Right?
[00:08:29] Speaker B: Yeah. And I think as soon as you start looking at smaller regional banking systems, small credit unions, their cybersecurity is going to be less because they can't really afford to have robust cybersecurity like bank of America, per se. So they're going to be victimized. They're going to have information stolen, and that's going to tie you to okay, here's Susan Turner at Such and such address in Birmingham. All right, how much information can I get from this? I have information on where she lives, and I can tie it to all this other stuff and making that daisy chain to figure out relatives and social media accounts.
These guys are organized crime entities for a reason because that's what they do. And they find the information, they gather intelligence, they collect it, they have stuff that can call through it. So it's very simple. It's all social engineering.
It's relying on people's goodwill and turning it against them.
[00:09:23] Speaker A: Yeah, but it's very targeted. These aren't the, oh, yeah, sure, just the drive bys or the malware that pops up. They have identified through these other pools of data, they've identified these targets to go after.
And then there's an element of just randomness to this, obviously. I got a call the other day, and I think these are like the robocalls and everything that they get. Either Social Security Administration is calling you and there's a problem and we got to get some gift cards know, this is the FBI. I had a guy call me the other day on my phone. I wish I should have brought it up for the podcast and I may put it on here. This guy calls me. Hello? It's Russ.
Why are you calling my wife?
I know who you are. I'm going to come over there and man, what are you talking about?
I haven't called your wife. You've called now three times. You're pretending to be the FBI. I've got your phone number, know, and I'm going to report you to law enforcement. I was like, man, first off, again don't know what you're talking about, but why don't you send me the message? And he sends me and it's, hello, this is David Dorsey, and the guy never says FBI in the recording, but this is David Dorsey, and we've been gathering the case and you can press one to tell your side of the story. It was that vague.
But this guy apparently, best I could gather was in aniston I'm from Aniston, and I guess he took the time to find me on the Internet. I'm findable how he got my phone number because he said it came from my phone number.
Maybe they spoofed my number, right?
[00:11:02] Speaker B: I guarantee you they did. I'm sure he had your number. There's plenty of online VoIP software that you can say, I want my phone number to appear to come from this area code. I've got phone calls from myself at least three times.
[00:11:17] Speaker A: Well, I was going to say, but the fact that they identified me by name and spoofed my number.
[00:11:21] Speaker B: Oh, right, yeah.
[00:11:23] Speaker A: Tells me that perhaps in a recent breach, that information got out, and I was trying to think of the one that might be the one. I might have to edit that out.
[00:11:34] Speaker B: Could be, yeah, I was trying to.
[00:11:36] Speaker A: Think well, but I don't go by David. I mean, I'm russ just about everywhere else, but I'm David legally. But yeah, this guy, like I said, so it's out there, but then just the coincidence of it, and that always plays into it. They're going to catch you at a time that somebody might be traveling or somebody might be going on, and it's just luck that they hit on that. Right.
[00:11:59] Speaker B: I will tell you, there are plenty of legitimate websites you can go to put in a phone number, pay $20, and it'll tell you who it belongs to. So he probably didn't have to go that if he just wanted to spend the $20 at Spokyo or wherever, he could have got your name and number.
[00:12:14] Speaker A: That's a good point.
And again, I want to stay, I guess, in this segment, stay on the, on the, on the family, you know, on the family side of things. I think the you know, the other thing about elder fraud, I mean, this, this is just straight up theft by deception. It's the hook, maybe cyber, but then it becomes a con game. It becomes that. And I'm thinking of an incident that happened with a client and they didn't tell us, and I'm going to have to edit this out, but they didn't tell us till after the fact. But your computer has been infected.
[00:12:54] Speaker B: Tech support one.
[00:12:56] Speaker A: Here's a number.
So this guy calls and what struck me about this, when he came to us after it was all over with and there wasn't much else could be done, he'd taken such meticulous notes of who he was talking to through the whole thing. He had this person's name and their employee number, which, by the way, I don't think we use employee numbers in this country. That's an OD thing. But he had everybody's name and employment number. If my employee ID, unless you're with the IRS, nobody has ever given me their employee ID. But beside the point. But they convinced him once they got him on the phone, they convinced him that there was an inside job at the bank and that his money needed to be moved. But that was the story they gave him, the COVID story, so that when he went to the branch, as per their instructions, he wasn't supposed to talk to anybody because they were trying to catch somebody at the branch. And he goes in there and wire transfers out X amount of dollars and then goes back the next day. And that's when he realized, because they said, now we need to move the rest of your money. But the banks. Kind of getting back to what you said earlier about most of that money is gone.
There is a short window to get that back if people are aware of that. And I think that's an important message to get out there is if you do fall victim to this, and especially if it's a wire transfer of a large amount you can get with the FBI and IC Three, which we'll need to plug later. And they can do what's called, I think call it a kill chain.
[00:14:27] Speaker B: Within 72 hours, it's an email compromised kill chain is what they call it.
[00:14:31] Speaker A: So that's something to make sure that we get out to people. But what amazed me was the stories and pig butchering. You keep mentioning that. So I want to throw it back over to you because I've explained what that term is, but then explain kind of how those scams are working, because those again, once they get them on the hook through technology, the rest of it's just a con game that they run and then the money's gone, right?
[00:14:54] Speaker B: So the newest evolution of the romance scam is what's being called pig butchering. And the reason it comes from that term is there's a Chinese phrase shana zapa or something like that. If I was smart, I would have had it pulled up here to look at. But it literally means pig butchering. And what they do is they pull you in as a typical romance scam, either through social media account and you start a conversation and it goes for a long time. It's called pig butchering because what they do is they fatten the victim up before they take all their money. So essentially they'll convince you, hey, I've got this great business opportunity, we can go into it together.
Download this cryptocurrency market app. So you download this app, you go to a website that appears to be a cryptocurrency exchange site, and cryptocurrency is one of those magical cyber buzzwords that people don't want to be left behind, so they think it's a good idea. I'm not saying plus or minus to cryptocurrency. I invested it in previously, but I've cashed out of it all because it kind of all collapsed.
But you go in and you'll invest a certain amount and they'll invest a certain amount, and there's a Ponzi scheme aspect to it where you'll watch the value of your investments go up. You can pull a little bit out of it, and then you invest more and more and more and more and more. And then six months down the road, you've invested hundreds of thousands of dollars. It looks like you've made hundreds of thousands of dollars. And then you come in the next day, the money's all gone, the website disappeared, your online paramore has disappeared, and you've basically been pig butchered at that particular point. I actually was doing a presentation several months ago at a community college for some educators and a guy came up after me, and I didn't call it pig butchering. I don't think I might have. I forget what I mentioned, that particular scam. And he said, yeah, you mentioned that scam. I was a victim of it because I'm embarrassed to tell you how much I lost. But it was amazing how easy it was to get roped into it. He had a whole text string of conversations with the person, and he was asking me, how is it possible to get his money back? I said, when did it happen? He said, Two or three months ago. And I had to say, I'm sorry, that money is probably gone.
[00:17:11] Speaker A: It doesn't take much to get somebody's life savings through one of those. Right. I mean, that's the sad part.
[00:17:16] Speaker B: Yeah. I was talking to a local bank here a couple years ago when I was an agent. I was doing a briefing on cybersecurity stuff, and they said they actually have a policy that if someone comes in to wire transfer money, they will ask them a bunch of different questions to make sure they're not being scammed. The problem is now with online stuff, you don't have to go into a bank, and so the bank can't really ask those questions, those probing questions, as a buffer to try to protect you from it. So it's even easier now for the scammers because everything can be done online. You don't have that third party looking over the shoulder saying, you sure you really want to do this? This might be a scam. Because let me tell you the experience we've had with so again, there's great things for being able to do stuff online, but there's always going to be someone who figures out how to use it for illicit means.
[00:18:06] Speaker A: And the robocalls, if you're not educated on those at this point. But again, it's just that I want to listen, we fell victim to that. If my wife watches this, she won't let me in the house for a while. But she called me one day because she'd got hit with a robocall. But it was American Express calling.
But for her to be as non technical as she is, it was amazing how good these guys were at tech support, because within a few seconds, they had managed to get a remote session up on an iPhone, which I can't even do and were shadowing her while she logged into American Express to see I think it was a gift certificate or something was the scam, but it was something they were having to lock down. But they were catching just that brief second that the password shows as you go across the screen, and catching that in real time. And then the other thing that struck me, and I think this is again, part of the insidious part of this, is how ugly the guy got with her when she started not being non cooperative.
[00:19:21] Speaker B: Sure. Oh, yeah, right. Especially when they're pretending to be law enforcement because certainly law enforcement guys may get mad, and you've seen good cop, bad cop, all that kind of stuff, so they kind of use that part to their advantage. They are not stupid at what they're doing, that's for sure.
[00:19:36] Speaker A: Yeah, exactly.
I think about my parents, or even my wife in this case, she was upset that it was an easy thing to call American Express and get it stopped. And they actually did have a test charge out of New York. By the time I even got on top of it, they'd already hit the card for $10 at a Walmart. Big deal. But the emotional impact on that is she's still not over what that guy put her through, and I can't go to India and do nothing about it. Right, exactly. But until she said, my husband's in cybersecurity, and then he hung up on her. But by that point, well, think about this.
[00:20:11] Speaker B: So you say he can't go to India and do anything because I'm sure he had an Indian accent, right. Once AI kicks in and he sounds like he's from Birmingham or wherever, he's got the right accent and everything that sounds right, it's going to be even harder to stop it, to disprove that. Because right now, certainly when you get a call from the Department of Internal Revenue Service and he's clearly has an overseas accent, I don't want to pick on India specifically, but he's got an overseas accent. You know, he's not a federal official. It's easy to determine. But once AI kicks in and you're able to duplicate voices, I mean, shoot, what if you got a phone call and it sounded like a politician you love, like you love some particular politician? I'm not going to pick one or the other on either side of the spectrum because I try to stay apolitical. But if you get a call from your favorite politician who's talking to you personally and asks you, hey, can you donate $100 to my campaign? That'd be great. Who's not going to donate the $100 if they had that 1015 minutes conversation? So that scam hasn't happened?
I'll predict it right here for the 2024 cycle that's coming where someone thinks they are actually donating to their favorite politician because that politician called them personally, talked to them, built them up and convinced them to send the money.
[00:21:25] Speaker A: Oh, yeah. Especially if it's plausible, if it's your local congressman who might actually have time to call. Now, obviously, if a presidential candidate is calling, you know you got something going on. But if it's, if it's somebody but.
[00:21:37] Speaker B: There'S people that will believe you're. Right?
[00:21:40] Speaker A: There are people that will believe that.
I don't know what you do, though, to protect your family against that kind of thing, other than what do you do? You have safe words.
[00:21:58] Speaker B: Right? For the kidnapping scams?
You have to have a safe word. I would say, look, if you are ever in trouble. Our safe word is avocado. Right, whatever. So if someone calls and says, hey, I've been kidnapped, what's your safe word? They don't know it. It's not them. So that's one way. But again, you have to A, be aware of the threat and B, have the capability to have that discussion and prep people for that. And I would say unless you're in our profession, most 99% of the world is not doing anything close to that or thinking about anything close to that. Even if it becomes a big news article, really? Who's really watching the news to that depth, that level of understanding or application, I guess.
[00:22:48] Speaker A: No, I think that's true. As Americans we follow this curve of here's the news and then here's the permanent annoyance and we're just going to deal with it.
[00:23:04] Speaker B: Right.
[00:23:05] Speaker A: The dark side of this that we haven't even talked about and we don't need to get too far into it, but it does tie into this is these same tactics and techniques are what are used, the child predators use for grooming and cultivating targets that they're trying to recruit people to a political ideology.
The same social media mining that we're talking about. They're going after the elderly, they're also going after our kids, right?
[00:23:31] Speaker B: Oh, absolutely, yeah.
[00:23:31] Speaker A: Indoctrination, all that kind of know, with the advent of AI and understanding. Just to kind of tie this back a little bit to the FBI and understanding that as a resource. If somebody is victim to this, do you recommend local law enforcement? Do you recommend they go straight to the Bureau? I mean, I was going to put numbers up with this.
[00:23:56] Speaker B: Yeah, that's a rough one because it depends on obviously if you think someone's been kidnapped, you want to go to the FBI, but if it's a scam from kidnapping, you can report the FBI. They won't really do much. They'll ask you. They'll probably tell you to go to IC Three and report it kind of thing.
Local law enforcement really not going to be much help. That is the big problem in the cyber world is who has jurisdiction, who's willing to open a case and investigate it? How much loss was there? I mean, let's say you got a call that your kid's been kidnapped and you end up wire transferring $1,000. The FBI is unlikely to open that case because the loss amount is not enough. It's certainly enough for the victim, but from an investigative perspective to put resources for that, you're not going to get much help. Now IC Three is a benefit because if 1000 people lost $1,000, that's a million dollars in lost total. Then they'll start to do some intelligence and find a way to open a case from that perspective. So bulking it up kind of works out. And you can certainly contact your local law enforcement if it's cyber related, if it's online, they'll probably refer you to the federal authorities you have the Secret Service does a little bit of stuff. CISA is more of the DHS's cybersecurity infrastructure.
They're more of a marketing arm of the DHS from a cyber perspective.
[00:25:27] Speaker A: But yeah, I think that's a good way to put it if you look at a recommendation though was when I go back to this bank fraud case, the bank didn't do anything for this guy and again they missed the window to pull the money back. And I think that would be something that it's okay to go ahead and get the local FBI office numbers and have them written down someplace and understand that you can call.
[00:25:53] Speaker B: Right.
[00:25:54] Speaker A: And there's organizations too.
I always like to plug infoguard, but that's for critical infrastructure stuff. But certainly your accountant and other professionals that you work with might have a fast track to get you in to talk to somebody because in that particular case we're talking tens of thousands of dollars through a bank fraud.
That would be something that would merit an immediate action but also be, I think, a better case for an investigation. But not if you go to the Mountain Brook Police.
[00:26:24] Speaker B: Right? No, I agree. If it's bank fraud related, certainly go to the Bureau. You can go seek a service too. They can help a little bit because they're more bank fraud oriented from an investigative standpoint, but from the Bureau especially business email compromise. Let's take that for example. If you are a victim once, chances are you're going to be a victim again, more than likely. So it is good. Like you said, have a contact. I say this all the time, know your local FBI because they're going to be able to help you. Ultimately if you need help with something, it's better to at least say, okay, I know I can contact this person and they can at least tell me where to go, tell me what to do, tell me how to report it, tell me what to do, the right thing. If you're in the middle of an incident and you don't know who to contact, you're just kind of flailing around aimlessly. And the longer you're flailing around, the less likely it is you'll have a chance to recover that money. The business email compromised kill chain has an 87% success rate if you report it within 48 hours, roughly 48, 72 somewhere in there. Because what it does, the dirty little secret of the business email compromise kill chain is you get your money back depending on where you are in the queue. In other words, so you say, okay, I got hit with business email compromise. They're able to tie it to a bank account at bank of America. So went from regions bank to bank of America. The bad guy has to then move it from bank of America somewhere else to get it overseas. So wherever it's sitting, the bad guy doesn't keep track of it in real just. He'll go to that bank account at some point and see there's money in there and transfer it. So the beauty of the kill chain is they figure out where you wire transferred the money, and then if there's money there and you filed the complaint, you'll get the money. Now, let's say you lost $50,000, but there's only 20,000 in the account. In other words, you already pulled your 50, but somebody else put in 20. And they haven't said they're a victim. No one else has said they're a victim. You'll get the 20, but it's depending on where you land in line. So that's kind of a first come, first serve for reimbursement or not reimbursement restitution.
[00:28:27] Speaker A: Well, that's kind of where I wanted to wrap. On the individual side, again, the threats are there, but on the proactive side, this information is out there. Like, Darren, your podcast, the stuff Scott's putting out there, there's all kinds of information out there on what to do to be safer cyber wise and then to prepare for the eventual that you might need it. I mean, even if it's just if you got a good relationship with your local police office, like I do, in Trustful, I'm giving all this personal information out here on this podcast.
[00:29:01] Speaker B: Yeah. Mountain Broke trustful.
[00:29:03] Speaker A: Yeah. It's perfectly okay to go to them and say, okay, I've got this going on. Can we contact the FBI rather than have it just sit there? Because time is of the essence in any of this stuff that's going on and understanding that. What I have seen is this major surge in the last few years on the federal agency's involvement in getting ahead of these cases because they're just so prevalent. Now, you're right, 98% of them, you're just going to report it, and they're going to get thrown in the number pile. And unfortunately, you lost that $50. You lost that $1,000. But if it's a more critical matter, well, Darren, I want to thank you very much for your time giving us this hour as we wrap this. If you're looking for more information, like I said, Darren's got over 100 hours of material up on this cyber guy, C-Y-B-U-R guy. Wherever you get your podcast, look for the ones for family or for FBI. They're all very well labeled, and he's got links to a lot of content behind that, too. And thank you for tuning in with us, too. So I'm your host Russ Dorsey with Cyber Matters, here with Kasoof and the Kasoof Podcast Network and wishing you a good afternoon, and we will see you again soon.