Travis Taylor:
So guys, I have some news. I got a new gig.
Adam Levin:
What
Beau Friedlander:
Congratulations. But Travis, did you know that onboarding at a new place is actually a huge opening for Cybercrime?
Travis Taylor:
Yeah, it’s a bit of a bummer. I mean, you need to email in documents with your personal info, your social security number, the transmitting tax documents. There’s always a lot of risk there.
Adam Levin:
All that’s true, but there’s an even bigger threat and we’re going to learn about that today. Welcome to What the Hack, the True Cybercrime podcast. I’m Adam Levin.
Beau Friedlander:
I’m Beau Friedlander.
Travis Taylor:
And I’m Travis Taylor.
Adam Levin:
Tarah Wheeler, welcome back to our show.
Tarah Wheeler:
It is such a joy and a pleasure to be with you today.
Adam Levin:
It’s awesome. And I just as a point of full disclosure for our audience, I am such a huge of yours that I invested in Red Queen Dynamics. Look,
Beau Friedlander:
Be that as it may. I don’t have any money in Tarah Wheeler’s company.
Travis Taylor:
I don’t have any money in general, but yes.
Beau Friedlander:
So anyway, we’re just glad to have her here today.
Adam Levin:
So Tarah, for a long time you’ve worked in cybersecurity and InfoSec. How did you get into it in the first place?
Tarah Wheeler:
I didn’t really get into InfoSec so much as I was dragged into a dark alley cost over the back of the head by InfoSec and informed you’re one of us now kid. I was sort of informed of it. And the reason why is this is 15, 20 years ago I was working as a web applications developer doing web application security. I didn’t have the name at the time for the job that I was doing, but I was working on the web presence, security and community for Halo for Xbox 360. This is really the dawn of a lot of web applications. And so I started by testing some of these web applications and realizing I didn’t have the, that I needed. So I took me and one of my contractors to a DEF Con for the first time, just heard about it. It was the biggest one went and I fell down the rabbit hole the second I showed up and I found out that the name of what I was doing for a living was web application pen testing. I didn’t know that was the name of what I was doing.
Beau Friedlander:
You were just having fun. Yeah,
Tarah Wheeler:
I was just having fun. I was like, this is great. This is an FTP server. I probably don’t belong in here, but I wonder what’s going on. So it’s a curiosity I think that gets people into this field. And over the course of doing that, I’ve had a checkered, an interesting history, and a lot of people in my field do. My stepdad started a managed service provider when I was, I think 15, 16 years old. And I used to work for a after school putting computers together. What he would do is set up networks and set up email addresses and service computers at local small businesses. I was brought into this world pretty young right at high school and the first couple times I dropped out of high school, that was my source of income. We get in trouble a lot in cybersecurity
Beau Friedlander:
And then we high school is boring. Getting into people’s systems is fun. Much more fun. Yeah,
Tarah Wheeler:
It’s continued to be fun, I promise you. And I just do it now for pay And legally.
Speaker 5:
Tarah, what’s an MSPA
Tarah Wheeler:
Managed service provider, an MSP or a managed security service provider is a business that has a bunch of clients and they help them with their technology or their information security technology. So I think that the reason this world matters to me, why, and we often just kind of call ’em the IT guy. It’s still honestly, it’s very guy heavy still, but there’s often a lot of small businesses and you say, Hey, you handle your technology. And they say, we’ve got an IT guy that’s the MSP that I’m talking about. And those businesses are from one person and just a solo practice all the way on up to hundreds, thousands of people for some of the biggest ones that are run by Optiv or IBM or data prize.
Beau Friedlander:
Okay. So everything Tarah that we’re talking about here, just to sort it out for folks listening, this is not just for people who don’t know what they’re doing or companies where they don’t have an IT person and there’s no clue, they’re like, oh, maybe we’re going to get scammed, maybe we won’t, but we don’t have any plan. This is also for people like you who totally know what they’re doing. Now, Tarah, you have a story about this.
Tarah Wheeler:
A few months ago I was hiring a contractor. I was hiring a non-technical person for my company, red Queen Dynamics, and I was very excited. They were a great person. I was hiring our first sort of non-technical hire.
Travis Taylor:
So was the contractor you were hiring remote, had you met them in person?
Tarah Wheeler:
They were remote, but I had met them in person before I knew who they were. And that first day that I had, I got them aBeauard our systems and our Slack and our HR processing and gusto and everything like that. And about halfway through the day I got an email that said, Hey, I’m having some trouble entering my payroll information into direct deposit. For some reason Gustos not letting me enter in my correct numbers and I don’t know why. And I said, huh,
Beau Friedlander:
What is Gusto?
Tarah Wheeler:
Gusto is an HR platform that lets you manage employee hours, timecard benefits, and more than anything else, payroll and taxes. And we’ve been on several other platforms that didn’t really work well for us, but Gustos designed really well for small businesses. I’m glad to be using them.
So I replied back and I said, I think there’s probably some help inside Gusto or that, but is this a US-based bank you’re trying to deposit your payroll to? And they said, yeah, it’s US-based bank. Maybe you could enter those numbers in for me. And I looked at it and I said, what’s the name of the bank you’re trying to have this sent to? And they said they provided a bank, something like Bank of America. And I looked at the bank account number and I thought to myself, that’s a little odd because we had a bank of account number too. And I thought to myself, that doesn’t look like a Bank of America account number. And I replied back and I said, well, maybe I’ve got something wrong with the numbers that you’re giving me. Tell you what, it’s a better idea. And now that you’re award a security company, we’ll start working, getting you up to date on best practices and security. Please don’t email me your bank account numbers. Post ’em over at Slack where we’re already connected. And I went over to Slack and I DMed the contractor and I said, Hey, can you just post those numbers here in Slack because if you’re having trouble, what I’m actually going to ask you to do is make sure that we can delete this information so that we’re not retaining your bank account information so that it’s all being retained by this third party processing system. And they said, what are you talking about?
I realized what had happened. This person, the new contractor had proudly updated their status on LinkedIn and in that moment where people are happy that they’ve joined a new company, they’ll tell people that they’ve joined one and that’s the day to do a payroll scan exactly like the one that I got caught up in. Now the defense in depth that we had, which was we had a third party processor who was supposed to be processing this I know and had already told them not to send sensitive information and email and even over in Slack, I was busy establishing that I was talking to the correct person. I was just gobsmacked by it. And it is just so true that anyBeaudy can get caught in a scam. It’s just the right time, the right moment, the right story and the right piece of information. And I just keep telling people that you’re going to get hacked, everybody’s going to get hacked. And it’s about having those defenses in depth to defend against them.
Beau Friedlander:
You mentioned that when somebody is putting out a note on LinkedIn just saying, Hey, got a new job, it’s fricking awesome. I’m so happy that that is the right data to do this kind of scam. So why is that the day? Walk us through that.
Tarah Wheeler:
Well, the information that’s available on LinkedIn can be gathered, scraped, pulled from a lot of different possible portals and finding the day that someone is excited about having joined a new company is the day where that company is still used to talking to them on their personal email. And so a spoofed personal email address, adding or requesting financial information or doing something that would in some other situation be very odd is normal.
Adam Levin:
So what you’re also proving is that while a defender has to get everything right, an attacker only needs to find one crack or crevice and that one day was the crack or crevice.
Tarah Wheeler:
Well, we can shore up as much as we want to, but it is true that an attacker hitting at the right time at the right place with the right person, with the right information, and again on that perfect day can get through defenses. It’s like walking through walls as long as you know where the cracks are. In this case they just predicted it by seeing somebody was onboarding to a new company for the first time.
Travis Taylor:
What kind of contractor was this?
Tarah Wheeler:
It was a designer, somebody who wasn’t experienced in security. They were a designer and I didn’t have the same expectations for security with them that I would’ve had with someone else. All the rest of our team is deeply steeped in information security. This is the first person we brought aboard who was not as technical. So I had expected that perhaps they weren’t going to be as familiar and I was watching out for and looking to teach this person how to be safer, more secure, how to abide by cybersecurity best principles and practices. And so at least part of what I was doing in that moment engaging with the scammer was sensitively working my way up to don’t send information like this over email. What you should do is you should send it over an expiring form of communication, but frankly I don’t want it at all.
You should be putting this information into the third party processor that we have. I don’t want to keep your bank account information. And so I had the expectation that maybe V, this was a person who wouldn’t know as much, which is one of the reasons I was willing to engage with them. It only would’ve taken one or two more before I would’ve gotten frustrated. So anybody can get frustrated and go, oh heck, I’ll just do it myself. I’m not sure that I could have done that myself, which is really, really good. I don’t know that I could have entered in a bank account information in Gusto without having to bypass a bunch of other security controls. They’ve set it up really well in Gusto because they understand that small businesses like mine don’t want to keep the financial information of our employees. I don’t want that at all.
Travis Taylor:
You mentioned that the way that the scam works is often with a spoofed email. Was the email address that the scammer was sending it from actually spoofed to or was it a different domain name?
Tarah Wheeler:
I didn’t look that closely and that’s at least part of it because I was expecting to get a flurry of emails that day from that person, from their personal email address. And so when I saw the metadata that just showed designer first name, last name in my email client, I responded to it without thinking.
Beau Friedlander:
Okay, so now what you’ve described Tarah, is a behavior I really haven’t paid much attention to because I think of a lot of the scams that we encounter in online crime are slow jams. They take a while, they roll, there’s a slow roll, you’re like, oh, I’ve got it. I’ve got an ace, I’ve got a king, I’ve got a queen, I’ve got a 10. Oh wait, I got a jack. So you don’t feel this sort of the alacrity of the attack where here it really sounds like a raptor sitting up on a tree branch waiting for a bunny to go by. I mean, this is a different kind of attack. I haven’t heard about this before. Tell me about that, Tara.
Tarah Wheeler:
I think it like an improved ROI on attacking smaller and smaller businesses, the ROI on this attack, the return on investment for a scammer to try to hit a single person on a given day that they may or may not be onboarding onto a company is incredibly low unless you have something assisting you. And in this case, it is almost certainly the fact that there are massive data sources available like LinkedIn, like Twitter, like publicly available information when someone’s going to be joining a new company, if you have the appropriate, it’s artificially intelligently assisted scamming is what it is. It’s spearfishing that is precisely targeted and it’s set to only operate when the right conditions are met on a lot of levels. Building a good scam, building a good AI assisted spearfishing scam is a lot like building the conditions for a financial algorithm. You’re waiting for a set of conditions to be met.
You strike fast, quick and hard, try to pull away with a little bit of profit and then recalculate. That’s very much the same process as someone would go through in developing an AI assisted scan. Here’s a high probability all of a sudden bumped up that Jane Smith has signed onto a new company. We saw this in two different places on social profiles. We’ve got the name of the company, we already have the information about how to reach the CEO. That’s publicly available information and that is all available in every dataset available on the dark net. So the dark web is going to have all that information available for purchase cheaply easily. I mean our social security numbers are gone at this point. So is all of my emails. So that information is available and it’s the intersection of those data sets. The ability to contact me rapidly and quickly with the name of the person who it looks like has just come aboard my company. I don’t really think that until I responded the first time that it was a person sending that original email. I think that I responded and it was likely somebody who was fishing very much phishing and then caught me and then began interacting with me. But that first email was almost certainly fully AI generated.
Beau Friedlander:
That is just a note to everybody listening. It is tax season. So if you think that your social security number isn’t being used by somebody, it’s just luck. Okay? Protect it, get a pin code, do all the stuff you need to do to protect it. And if you don’t know what to do, hit us up on Instagram or any other place where we are. We’re everywhere. And we’ll tell you.
Adam Levin:
So Tarah, you’re a cybersecurity professional. Did you look into the scammer to find anything else about them?
Tarah Wheeler:
No, I don’t have the time and there’s very little chance that my energy would’ve been well spent in so doing,
Beau Friedlander:
You’re adding insult to injury in terms of your time loss,
Tarah Wheeler:
Right?
Beau Friedlander:
Exactly. There’s something to be said for petty revenge.
Tarah Wheeler:
I love me some petty revenge. I didn’t go look into who this person was because I didn’t have the timer energy. Petty revenge is a lot of fun, but the best revenge is living well and I’m running a security company that’s making people better. And the best revenge I could take on a scammer like that was check over our internal documents, practices and policies and go, I didn’t catch this, but our practices and policies did. When I told everybody, you don’t send private information over emails and over Slack. Instead it needs to be entered in directly into the payroll processor or there is exploding chat. If you have something confidential, you need to ask a question about that. Our own practices and policies saved us in that moment, and it was defense in depth that did it. Even at a small company, you can have it set up so that people have an expectation of staying safe and secure.
We had that ready to go and every time I fell back on the next step in our practice and policies, I found myself having to look at the situation and go, this doesn’t seem right. And the moment it caught was the moment that I said, why are you emailing me with your personal email address to ask me these questions instead of talking to me in Slack because I’d already had that conversation. It’s time to review the onboarding documentation where it’s going to tell you don’t put personal information like that in your personal email to me and my professional email. And so in really that defense in depth, that does it.
Adam Levin:
And Tarah, and this is a person who was a real hire.
Tarah Wheeler:
Yes, absolutely a real hire. A real hire that I had hired the day before and I’m sure that they had mentioned it to someone or said hello to someone or mentioned it in a comment that was available for someone to see online. I’m sure of it.
Beau Friedlander:
Now here’s the thing, LinkedIn has a lot of fake accounts, a ton of them, and I think a lot of them are scammers who are just looking for information. So when you’re there, just be aware of the fact that you are sharing sensitive information essentially in the holding cell of a city jail. You’re not with the best people on earth. everybody who can see your stuff is not everybody who’s your friend. So what’s really kind of fascinating here is you were on Slack with the new hire, the real new hire, and you were emailing with the fake new hire and that kind of chaos, as you said, it’s common.
Tarah Wheeler:
Absolutely. I used my personal email for I’m sure a day or two as I was getting onBeauarded to almost everything at almost any company that I’ve ever been at. It’s very expected that that would be the case. And then of course you want to get over onto your email as fast as possible, but there is an overlap of time. And what’s interesting to me is that the return on investment for developing a scam like this is focused down to the just hours that it takes between somebody saying, I’m so excited I got a job, I start tomorrow. And the amount of time it would take to email someone like me did it. I’ve got what many, many tens of thousands of social media followers on different sites. I could have reposted them, I could have Beauosted something. I could have said, yay, so happy to have you aBeauard. I don’t even remember at this point, but that would’ve been the indicator that was necessary. AI can’t do a lot of things, but it can do that. It can spot that very easily.
Adam Levin:
And this situation can happen after you’ve done a deep background check of somebody you’re hiring and you have no idea that you’re communicating with someone else. So the takeaway here is it happened to you and it can happen to anyBeaudy.
Tarah Wheeler:
Absolutely. That’s the point of all of this. It’s one of the reasons I like what I do every day, why I get up in the morning and I like keeping MSPs and small businesses safe because if it can happen to me and it can happen to anyBeaudy and there’s no blame and no shame attached to it, we’ve got to stop blaming victims of something like this. And blaming the victim just gets you fewer muggings reported.
Beau Friedlander:
Yeah. So let’s talk about takeaways a little bit more here. I get it. As Adam said, it happened to you, a cybersecurity expert. It really can happen to anyone because everyone has an off day or everyone has a big day the day before that makes them tired the next day or whatever. What’s takeaway number one,
Tarah Wheeler:
Tell someone right away. Don’t let shame stop you from communicating with people who can help you.
Beau Friedlander:
That’s a good one. What else should we be looking at? Is there some way to, so this very specific situation where a criminal party is on LinkedIn looking at posts and they see there’s a new hire and they’ve figured out, okay, I’m going to spoof this guy. I’m going to send an email, this is the one, I’m going for it. And they do this scam, which we’re going to call the onBeauarding scam. And so my question is this, is there some way we can systematize behaviors, best practices, a sensibility that will help small businesses stay clear of this particular scam, the onBeauarding scam?
Tarah Wheeler:
Well, I think that the first thing to realize is I don’t think there is anyBeaudy personally trolling LinkedIn or social media to find the right time. I think that first email is automated. I think that replying to that email will get you to a person really quickly, but I don’t think that first email is a person making that choice. I think it’s a massive spear phishing operation that used this targeted information. It’s a Beaut. Well, I mean it’s not technically a Beaut. I would call it a spearfishing agent. There’s a lot of ways to look at it, but the answer is that first email was almost certainly prompted and sent not because a human being said so, but because it was programmed to do so. But the question you asked me is what can we do to systematize this? Systematize businesses having good policies? Well grade a number one is defense in depth.
If you’ve told somebody before to not send private information over email and they do so anyway, that’s an indicator that something might be wrong. And I just happened to be in the right mindset to teach someone something, so I didn’t want to snap back. I want you to engage them in the conversation, which was exactly what any scammer wants in that moment is engaging with the person. So what I think the key on this is, is for small businesses to recognize that they need to keep business information on business systems and personal information like someone’s personal credit card or personal bank account that might be used for direct deposit or for pay isn’t something the business ever needs to retain. And the system its vision of fixing this for small businesses is going to involve teaching them not to hold extraneous information on their employees.
For one thing, if you are a small business owner and you have a payroll system, you do not need to hold your employees bank account information. You shouldn’t have the ability to give it away. And the reason for that, of course, is what would’ve happened. I would’ve deposited this person’s first payroll into a scammer’s bank account and then it would’ve been rolled up, it would’ve disappeared. These bank accounts are shady and all over the place, the routing numbers are perpetually rerouted. There’s a lot of ways to get away with that and those bank accounts just roll over time. So the answer is systematizing the fix for small businesses. Don’t hold data. You don’t need to hold actively reject being asked to hold it. And my reflex in that case is what ended up catch me is what ended up being the theme that let me catch it.
Adam Levin:
Even though you as a business don’t hold that data, you have contracted with a third party that is now holding that data. And if they get breached, isn’t there some liability that comes back on you?
Tarah Wheeler:
Number one, I check the terms of service with Gusto. And so I’ve reviewed our payroll processing legal obligations. The answer is if I was the person who manually sent money to a given bank account, that’s on me. It’s not on them, but their process as far as I can recall at the time, didn’t permit me to manually override that bank account information for a contractor. Now, if Gusto had manually overridden it themselves, for instance, if someone had called up Gusto and tried to talk them into changing direct deposit information for my employees and Gusto had done so, they’d be in some trouble, we’d be having a different conversation. But the challenge on this is if that bank account, if I had done what the scammer was asking me to do first, it would’ve been very difficult with all our processes to get all the way through that and then even to confirm it with the contractor that I’d done.
So I doubt we could have gotten that far, maybe not more than two more steps before everybody would’ve known what was happening. But if I didn’t have those processes in place, I could have done exactly that. And the answer is in that case, I’m SOL. If the amount is big enough, perhaps I can go to my business and cyber insurance for fraud, but I’m not going to for a small amount, like the amount for a two week paycheck for one contractor is not going to trip the $50,000 deductible for a lot of cyber insurance policies. Everyone in this case is just in trouble.
Travis Taylor:
You’re the sun in Mexico. You mentioned that this was a part of a spear fishy attack, and I’m wondering if you can just sort of walk us through how spear phishing is different from regular phishing attacks and some of the tactics that are used there.
Tarah Wheeler:
Well, I think of spear phishing as an upgraded form of phishing. Phishing used to be an email that you would send and try to get into as many email inBeauxes as possible. That was an attempt to get somebody to click on a link, maybe to download some malware to get to a site that looked convincingly like some other site to get you to enter in relevant financial information. Spear phishing is, I would consider it an upgraded form of phishing where it is more targeted to the person that you’re actually sending it to. It perhaps incorporates something that you know about that person’s life, like maybe that they have kids or that they live in Tampa, Florida. It’s intended to be more targeting because the intent is to trick you into thinking that the person sending the email is someone you know and trust. That’s not necessarily always the case in a phishing campaign, a phishing campaign might mimic some other trusted Beaudy.
It might just be a random email. I think of spearfishing as upgraded phishing. When I think of AI enabled spear phishing, I think first of banks that have gotten trapped in routing processes and have inadvertently transferred information because at the right time, at the right moment, an email that catches somebody with the relevant information can have a far bigger impact than just a phishing or a spear phishing campaign alone. In this case, drifting for relevant information and predicting human behavior based on some AI enabled techniques. Let someone get to meet quickly enough that there was no need to have an expensive human making that decision. So I think of AI enabled spearfishing as the upgrade to spearfishing that includes the right time as part of the reason for it triggering to begin with.
Travis Taylor:
And in terms of the AI element to this, do you think there were using something like off the shelf AI like chat GPT or is there more specific AI based platforms that can be used for leveraging spear phishing campaigns?
Tarah Wheeler:
There’s a lot of open source tools out there that will let you run, train and test your own ai. There are quite a few platforms out there and open source and available natural language processing tools, which you can just run your own basic statistics on. A bunch of it has been released publicly. Much of it is from the academic world. Some of it is kind of hacky, but it’s almost all released open source. Not that it matters if it’s open source for the kind of people we’re talking about, but if you can steal that code and you can get it to run, it’s going to be good enough. It was good enough to write interesting texts to people and it might be predictive enough to get something across to them and convince them that it was you. The tools that are available now, they are configurable, they’re easy to use. It’s fast. It’s moving from a scammer. Having to physically dial a phone to an auto dialer is one way to think about it.
Travis Taylor:
So it’s not like they just go to bad guys or us on the dark web and say, I want a spearfishing AI and download that
Tarah Wheeler:
Accordingly. I’m sure there is. I’m absolutely sure that there are people who would supply that kind of software. There’s absolutely people who exist on the internet who are willing to sell you anything that you are willing to pay enough money for
Adam Levin:
And they want a piece of the action.
Tarah Wheeler:
They may have relevant software that they may have a license agreement, believe it or not, criminalizing this makes us forget that these people are professionals. What do we do as professionals? We exchange money for goods and services. And so somebody who’s got a reputation as someone who delivers on product is going to continue to stay in business. somebody who takes advantage of their customers on the dark web or wherever else after a while is going to get a reputation as being somebody that noBeaudy, not even decent criminals will do business with.
Adam Levin:
So Tarah, you talked about defense in depth. Can you explain that to our listeners?
Tarah Wheeler:
I would love to. So when I think about defense in depth, I think about the old analogy about Swiss cheese and walls. So if you think of a piece of Swiss cheese, it’s got a bunch of holes in it. And if you slice a block of Swiss cheese and you pick up one piece of Swiss cheese, it’s not going to stop an attack getting through, slap another piece of Swiss cheese over the top of it and some of those holes are going to get covered up fully or partially slap another piece of Swiss cheese over the top of that. And all of a sudden it might be a little harder to find a space to look through and see a hole through your Swiss cheese, keep going, stack it up to 10 or 15, and all of a sudden you can’t see through that Swiss cheese anymore.
At any given point, there are five layers of cheese stopping you from seeing through that stack of Swiss cheese. That’s what defense in depth looks like. It’s intended to be something that you can fall back on where each individual defense may not be perfect, but it’s going to catch most of what’s coming at it. And then whatever passes through it is caught by the next layer behind it. So for me, one of the defenses in the attack I described was that when somebody emailed me with their bank account information and said, can you put this in instead? The first defense in depth was that I had already added into our onboarding information to not send bank account information in emails, not don’t send personal private information in email ever. And so I knew that that had happened, which means, and it was just one of the pieces of information, but it got through that first defense.
Why? Because I was in a teaching mood. I knew the person already. It seemed like it was them. The name was right, the time was right. And so it got through my first defense. What was my second defense when they emailed back and said, oh, this is the correct bank account information, but I still can’t figure it out. It’s being so frustrating, Christina on Gusto chat wouldn’t let me fix it and I don’t know why I needed this job. And I was like, okay, I’m going to reply one more time. And I said, let’s talk about this over in Slack so that I can confirm that this is really what’s going on. I replied to it. But that next email that came back was even more specific. We all complain about Jeff or Christina on chat, the AI chat bot, the kind of thing where you complain about something and it’s a specific enough detail that it sounds convincing, right?
Every con artist uses that one and that got through and I’m a poker player and that got through. So I reply again, and then the next email came back super worried about this. Can we just do this as one time and I could figure it out for the next pay period? And that was the moment I looked at it and I went, I’m going to message them over in Slack and see what’s going on. I had told them not to send private information on email and that was like the fourth or fifth pieces of Swiss cheese. That’s what defense in depth is. It’s having a series of defenses. And as each one fails, you fall back to the next one and ask the next smart question, fall back on the next policy. One example of defense in depth. Many of you will have seen something as you send an email to someone that says, when it comes back to you external in the subject line, it’s warning somebody who’s looking at that email that it’s coming from somebody outside their organization. That’s one element of defense in depth. People can look at something like that and go, huh, that’s funny. Joe works down the hall. Why am I getting an external notice on his email? And that’s another piece of that Swiss cheese for that organization. That’s what defense in depth is.
Adam Levin:
There was one logical thing they played on too is that I was trying to onboard with the payroll company and they were giving me a hard time. It was a problem.
Tarah Wheeler:
It’s absolutely logical.
Adam Levin:
Beau and I have firsthand knowledge of how impossible payroll companies can be.
Beau Friedlander:
Oh my gosh. I mean the payroll company scam. There’s so many ways to skin that cat because they’re so incompetent. But Tarah, as I listened to you, describe defense in depth and I really do like the Swiss cheese metaphor. It works. It is clear as day. Well, if it’s done correctly, it’s opaque. But so my question here is how do you program people that we can have all these policies and I can see how these policies really do put some protection between you and the human condition. But at the end of the day, you still have the human condition. You still have human beings who are fallible. So what are some strategies that small business owners and parents of teenagers can put into practice to protect themselves from that just general state of being kind of fallible, having lives and thinking about other stuff?
Tarah Wheeler:
People are often so covered with shame when they’ve been hacked or taken advantage of when they’ve gotten on that phone call with tech support and they’ve handed over the keys to their computer. They’re so filled with the shame of it, and as a result, they often hope it’ll go away. I had a ransomware attack and that had happened because they had gotten on tech support with somebody and were convinced to download something. They didn’t know that shutting your computer lid didn’t mean that you were protected, shutting the computer off doesn’t do anything anymore. Now it’s all cloud accounts. And what they were hoping was that they could go away and come back later and that the scammer would’ve gone away. And so they shut the lid to the laptop, walked away, came back later on. Eventually I heard about what had happened. They just didn’t understand and they didn’t want to ask for help right up front.
They didn’t want to reach out to their tech support or that the people that they knew that were technical because they were so ashamed of having gotten on the call, they felt so stupid for having given this information away to what they thought of as Windows tech support. And they realized this is the number one thing small businesses can do. And the number one thing parents of teenagers can do is convey to them that there is no shame in having gotten taken advantage of. It is not your fault that you have been victimized. It’s somebody in a small business who realizes they’ve done something wrong or clicks on something or sees a problem, but they hope it’ll go away or they don’t want to admit that they were taken advantage of. The same thing’s going to happen with kids, with teenagers, frankly, with older folks in your family, they’re not going to want to admit that they’re not quite as on or quite as aware as they used to be.
They don’t want to admit that happened and as a result, they don’t want to talk about it. The number one thing I hear from people who have had this kind of experience is, I could have fixed much if I had just asked somebody sooner than I trust it. Establish that trust before the hack happens. If you’re a parent of a teenager, talk to them and say, if anything weird happens with your phone, with your computer, there’s no judgment. I’m going to help you fix it and we’re going to maintain your privacy as best we can. But there’s no shame in having had something happen to you. It’s not about what the person did. It’s about them having met a skilled scammer on the right day. That’s it.
Beau Friedlander:
And the shame thing really does matter because a lot of scammers know that if the content is sexual in nature or you have been in some way interacting with sexual content, you are probably not going to say anything. And you know what kids, if you’re listening, you’re not the first ones to ever interact with sexual content and it’s okay and you can say something and if it’s not okay, get new parents.
Tarah Wheeler:
Yeah.
Adam Levin:
But I think it also relates to something we’ve talked about a lot in this show, and that is one of my favorite people in cybersecurity, Tarah Bruce Schnier. And he loves to say that people think by throwing a ton of money at technology is going to solve your security problems. But the truth of the matter is that you don’t understand security and you don’t understand technology if you think it’s all about the money that you have to create a culture of privacy and security in your business life, in your personal life. And you have to make sure that the people with whom you work and the people that work for you and your family all understand the fact that they have got to feel comfortable talking to you.
Tarah Wheeler:
Absolutely.
Adam Levin:
Because if they don’t, it hurts them. It hurts you. It’s the whole thing about one teeny little mistake by a young person in a household that goes unchecked, that involves cyber, could lead to a compromise of the parent, could lead compromise of the company they work for. And if that company’s part of the supply chain could have a much bigger impact. One more thing, Tarah, you’ve been a huge advocate for bringing more women into cybersecurity. How are we doing on that front?
Tarah Wheeler:
Getting worse? Women are leaving the field. Venture capital for women entrepreneurs has halved over the last two years. Grants are drying up and most of the companies, most of the capital cycles have been taken up with what you would call a diversity investment. It’s rare, it’s getting worse. It’s frankly not getting better. I hate to paint such a bleak picture of it, but the only way to tackle something like this is tackle it with the truth. The answer is the move to remote work hit women very hard because it started to expose some of the inequalities in things that women were expected to take care of more as primary caregivers. All of a sudden, daycare went away and women ended up taking on much more of the share of duties at home, especially if they were already trapped in a gender pay gap, meaning that their spouse might’ve been being paid more than them to begin with when that math changes.
So do women’s lives. So the answer is there’s a lot of ways to bring women into technology. I like at this point to work on keeping women’s businesses especially safe. I especially often reach out to women who own MSPs. It’s a great business to go to, by the way. There is never enough hands to keep everybody safe. And so if you’re a woman thinking as a technologist, Hey, I wonder if I want to start a business keeping people safe, start an MSSP. There are not enough hands to go around my friend. So there’s real positive ways to make that impact. Call out when you see that contracts that you are bidding on or having people bid on don’t include diverse contractors. And the reason why is we have a diverse company and we see things that other people don’t see. People surface things to my attention that I wouldn’t have known because I don’t share some of their experiences. It’s not about the demographic. It’s about a different lived experience that brings you a richness in product design and security and perspective thoughts. That’s really why we do this.
Beau Friedlander:
And as a father of daughters, I can tell you that I am constantly amazed by what I don’t know and learn when I ask them questions.
Tarah Wheeler:
Absolutely open the doors they’ll walk through.
Adam Levin:
Tarah, thank you so much for joining us today.
Tarah Wheeler:
You are very welcome. Hey, I’m not ashamed of having been the victim of a artist on the wrong day, at the wrong time for me and the right day and the right time for them, and no one else should be either.
Beau Friedlander:
It was really great hearing this. Thank you so much, Tara.
Tarah Wheeler:
Pleasure.
Beau Friedlander:
Okay, guys, now it’s time for the tinfoil Swan,
Adam Levin:
Our paranoid takeaway to keep you safe on and offline.
Beau Friedlander:
Did you hear the news about Kate Middleton?
Adam Levin:
I did. And I sure hope she has a successful recovery.
Beau Friedlander:
No, no, no, no. It’s not the one I’m talking about. She was abducted by terrorists. Apparently. I
Travis Taylor:
Heard it was aliens.
Adam Levin:
Well, the real headline here, other than her diagnosis is that China, Russia, and Iran all allegedly out of hand in spreading rumors about her in an attempt to destabilize Britain.
Travis Taylor:
And that certainly seems to be their mo
Beau Friedlander:
Right? But considering the fact that a relatively anodyne public figure can mess things up
Adam Levin:
And it’s an election year,
Travis Taylor:
Yeah, that means it’s more important than ever to be on the lookout for disinformation and misinformation in your newsfeed.
Adam Levin:
The reason hostel foreign powers invest their resources and online disinformation is because it works.
Travis Taylor:
And it’s not even about pushing a specific narrative or agenda. The purpose is often just to, so chaos.
Beau Friedlander:
The easiest way to destroy a country is to flood it with drugs like, I don’t know, say fentanyl. Well, that used to be the case. Social media is the new opiate of the masses.
Travis Taylor:
QED.
Adam Levin:
That’s a cheerful thought.
Beau Friedlander:
So what are some ways to spot misinformation? Adam? You first
Adam Levin:
Consider the source. If you’re reading shocking headline and it’s on a news outlet you never heard of, it’s likely to be fake.
Travis Taylor:
And in the same vein, if you read something on social media but haven’t actually seen it in any news outlets, treat it the same way you would as if a random stranger on the bus told it to you.
Beau Friedlander:
And if you’re feeling particularly Travis, you can do a reverse search on an image in a suspect article. A lot of phony news will come with photos from real news stories
Adam Levin:
And go slow disinformation and misinformation or designed to trigger a strong reaction if you’re reading something truly shocking. Give it a second. See if you can confirm the story with another news outlet.
Travis Taylor:
And that’s our tinfoil swan. What the heck with Adam Levin is a production of loud dream media. You can find us online at adamlevin.com and on Instagram, Twitter, and Facebook at Adam K Levin.
