[00:00:03] You have to realize that in the age of COVID-19, phishing has increased 350%.
There were 300,000 plus new suspicious COVID-19 websites spun up in March alone.
[00:00:28] Michelle: Welcome back to AARP’s The Perfect Scam.
I’m your host, Michelle Kosinski.
These are the people who craft the perfect scams.
But in this case, these sneakiest of skills are used for good.
You’ll see how that worked out.
Have you seen the movie “Catch Me If it’s possible for you to” by the way?
Welcome back, Frank.
[00:01:55] Frank Abagnale: Thank you, Michelle.
So I placed a phone call to the executive headquarters of Pan Am.
I said, “Well we flew in here yesterday, we’re going out tonight.
Yesterday I sent my uniform out through the hotel to have it dry cleaned.
Now the cleaner and the hotel said they can’t find it.
Here I am with a flight in several hours, and no uniform.”
So he said, “Hold on, I’ll be right back.”
Unfortunately, today there are many forms of communications enabled to social engineer people, and nothing’s changed.
People social engineer people constantly to get information from people.
[00:03:26] Michelle: It’s true.
Journalists do it too.
It is extremely effective.
Well, the sim card in my phone is broken, I need to replace it.
[00:04:35] Michelle: For sure.
All right, thanks, Frank.
[00:04:44] Rachel Tobac: Yep, based in San Francisco.
[00:04:45] Michelle: Where did you grow up?
[00:04:47] Rachel Tobac: I grew up in Pittsburgh, Pennsylvania.
I’m a big fan of that too.
[00:04:51] Michelle: Rachel got her start at college studying none other than, the human mind.
[00:04:57] Rachel Tobac: I went to school for neuroscience and behavioral and cognitive psychology.
So that means I was in a rat lab performing rat surgery trying to learn about the human brain.
And when I was there, I learned a lot about how people think, how they make decisions.
[00:05:13] Michelle: Well that’s not so far off from this.
And tells her, she’s the one who would really enjoy this.
I’m like, “Yeah.”
And he’s like, “They’re doing that, but they’re doing it for good.
They’re trying to show people how hacking works.
[00:06:15] Michelle: She was hooked on hacking, ethical hacking.
Today, she has her own company that offers personalized social engineering training.
[00:06:41] Michelle: What are you trying to do?
You’re just pretending to be somebody else and trying to convince them to do things?
[00:06:48] Rachel Tobac: Yeah, that’s exactly right.
That’s called a vishing attack.
[00:07:11] Michelle: Do you use a funny voice just for laughs?
[00:07:15] Rachel Tobac: I usually do not.
Some people use accents.
[00:07:26] Michelle: Ooh, you have all the tools, don’t you?
[00:07:28] Rachel Tobac: I do.
[00:07:29] Michelle: Do you have like this hacking dungeon in your house?
[00:07:33] Rachel Tobac: Uh, it’s pretty well lit.
[00:08:08] Rachel Tobac: That’s exactly right.
I love that you’re thinking like that, like an attacker.
How easy you’re able to find that on Facebook with birthday posts, right?
[00:08:35] Michelle: Yeah, that’s amazing.
[00:08:43] Michelle: Exactly.
[00:08:44] Michelle: It doesn’t take long to see that Rachel is passionate about this.
[00:08:49] Rachel Tobac: I love it because every single day is a challenge.
I have a giant puzzle in front of me, and I need to find a way in.
And I will find a way in, but it’s going to take a little bit of time.
[00:09:13] Michelle: And about what percentage of the companies that you work with are like that?
[00:09:32] Rachel Tobac: Mouth agape, staring at me like a deer in the headlights.
[00:09:36] Michelle: You must feel so smart when you get them.
[00:09:40] Rachel Tobac: Um, you know what, honestly, I don’t.
And this a really important point.
The term that I like to use is politely paranoid.
[00:10:17] Michelle: Oh, okay.
Which, you might have noticed, Michelle, I did with you this morning.
I’m paranoid, and maybe not even politely paranoid.
Like when people call me, a company calls me for something, I’m like, really?
How do I know this is you?
Why would I give you that information?
They just don’t look right.
In the past, I have been great at being the one not to select them.
This thing was immaculate in every way.
Seriously, I was all over this.
There were literally zero of the usual trusty red flags.
I was a goner.
I was so annoyed at myself.
It took one good deal to blind me.
Ah, the eternal power of greed.
And it doesn’t too good to be truth either.
[00:12:36] Rachel Tobac: Right, it’s just a low enough number that it sounds legit.
So, what would you do in this scenario?
You wouldn’t click this link.
Instead you would… come on, come on.
[00:12:46] Michelle: I would go to their web–, their real website?
[00:12:48] Rachel Tobac: Yeah.
[00:12:49] Michelle: …and try it through there.
[00:12:50] Exactly.
[00:12:50] Michelle: Okay, just to double-check that it’s real.
[00:12:52] Rachel Tobac: That’s exactly it.
That’s exactly it.
[00:12:59] Rachel Tobac: Right.
Right, you’ll be on the call for a week.
So um, you have to double-check that instead you go directly to the real legitimate website.
[00:13:06] Michelle: That’s smart.
[00:13:28] Rachel Tobac: Are you ready, Michelle?
I’m about to hack you.
[00:13:30] Michelle: Yeah.
[00:13:31] Rachel Tobac: Okay.
And I want to know, how long did it take you to build this fake link?
[00:13:50] Rachel Tobac: Oh, we just did it last night.
[00:13:51] Michelle: So it took like less than an hour?
[00:13:54] Rachel Tobac: Yeah.
(chuckle) It’s scary, right?
[00:13:59] Michelle: I would have been all over this.
[00:14:02] Rachel Tobac: I know.
[00:14:09] Rachel Tobac: They’re likely sending it out 10,000 at a time.
[00:14:12] Michelle: Got it.
[00:14:30] Rachel Tobac: Yes.
[00:14:55] Michelle: I just sent them.
[00:14:57] Rachel Tobac: All right, let’s see on my end here.
Okay, it says that you submitted data, great.
I have your credentials.
[00:15:09] Rachel Tobac: Okay, so your username is ABC123.
[00:15:13] Michelle: Yeah, which is fake, that’s not really what I use.
[00:15:21] Michelle: Yeah.
Imagine how scary that is, right?
[00:15:45] Michelle: Yeah.
This is so disappointing.
[00:15:54] Rachel Tobac: Yeah.
[00:15:55] Michelle: So much for that.
[00:15:59] Michelle: Exactly.
[00:15:59] Rachel Tobac: And we’re seeing those increase.
So you might be used to seeing something like, this is the IRS.
You’re in trouble.
And you’re like, ah, that’s fake.
[00:16:09] Michelle: Right.
[00:16:09] Rachel Tobac: But what about free airline miles during COVID-19?
Ooh, that sounds great.
[00:16:14] Michelle: Yeah, or some kind of deal on something.
Oh, how embarrassing.
I was all over that.
[00:16:19] Rachel Tobac: Every social engineer, every hacker I know has been successfully phished.
[00:16:23] Michelle: Have you been successfully phished?
[00:16:26] Rachel Tobac: Yes.
[00:16:26] Michelle: How did they get you?
[00:16:28] Rachel Tobac: I can’t tell you that.
It just seems so cumbersome.
[00:17:20] Rachel Tobac: Passwords are really inconvenient, right?
[00:17:36] Rachel Tobac: That’s right.
[00:17:40] Michelle: Well what if the password manager gets breached?
[00:17:43] Rachel Tobac: Okay, so that’s a really good point.
[00:17:53] Michelle: That’s what I figured, okay.
[00:17:54] Rachel Tobac: Yes, completely encrypted.
But let’s say something goes completely haywire.
So it’s really simple.
It is a credential harvesting phishing website.
I’m not putting your credentials in.
[00:19:34] Michelle: Okay.
[00:19:40] Michelle: How?
[00:19:40] Rachel Tobac: Okay.
I use what’s called spoofing software.
[00:19:44] Michelle: Oh.
[00:19:57] Michelle: Okay.
On one of my phones, it immediately sensed something sinister, and just completely blocked her.
(phone ring)
[00:20:23] Michelle: Hello.
Whoever could this be?
[00:20:26] Rachel Tobac: Michelle?
[00:20:27] Michelle: Yes.
[00:20:28] Can you hear me?
This is Kevin over at Apple Support.
How’s it going today?
[00:20:33] Michelle: Uh, okay, Rachel.
[00:20:36] Michelle: She tries it again, this time with a different spoofing method.
She wants the caller ID on my phone to say that it’s Dell Support.
[00:20:47] Michelle: Hello.
[00:20:50] Rachel Tobac: Hey, there, Michelle.
This is Alex from Dell Support.
Can you see that on your end?
How’re ‘ya doing?
[00:20:56] Michelle: Well guess what it says on the top of my phone for your number.
[00:20:59] Rachel Tobac: Ooh, I’m excited.
What does it say?
[00:21:00] Michelle: It says, SPAM RISK yo!
[00:21:04] Rachel Tobac: Oh great job, you have additional spam protection.
[00:21:09] Michelle: I do like the voice though, it’s very effective.
[00:21:12] Rachel Tobac: That’s awesome.
Yeah, what’s really exciting is there’s new spam protection to protect consumers.
I’m so glad that you have that.
[00:21:20] Michelle: Oh, that’s something new?
[00:21:22] Rachel Tobac: That’s new, yes.
[00:21:23] Michelle: Okay, cool.
I would not have known this was you.
[00:21:32] Rachel Tobac: Yeah, it’s pretty wild.
[00:21:38] Michelle: Spoofing is pretty scary.
It can make people think a legit organization or even a government office is calling you.
Don’t read everything out loud, and don’t freak out.
[00:22:49] Michelle: Oh no.
[00:22:55] Michelle: All right, okay.
[00:22:55] Rachel Tobac: So you could look through here.
[00:22:56] Michelle: So I’m opening it up now.
There shouldn’t be anything bad about me out there.
[00:23:31] Rachel Tobac: Yes.
I don’t like people to know exactly where I am at a particular minute.
[00:23:49] Michelle: Yeah.
[00:24:01] Michelle: That’s true.
[00:24:12] Michelle: …information.
But I see what youre saying.
[00:24:21] Rachel Tobac: Exactly.
Like your ballet tweet here.
You said in February that you went to see the TW Ballet’s Romeo and Juliet.
Maybe it wouldn’t be a data breach.
[00:24:58] Rachel Tobac: Exactly.
So does that make sense about how…
[00:25:01] Michelle: Totally.
[00:25:01] Rachel Tobac: …it’s not always scary, yeah.
If the school were to email me and say, “Hey, we’re reopening after COVID-19.”
I probably would be likely to click that, right?
[00:25:46] Michelle: That’s very interesting.
And so, when you looked at my profiles online, did you see holes?
Did you see things that I shouldn’t be doing, any advice you would give me?
[00:25:59] Rachel Tobac: Um, you were doing really, really well, Michelle.
I think your time…
[00:26:02] Michelle: Oh okay, thanks.
Yeah, too much information.
[00:26:27] Michelle: Yeah, that, that’s a problem.
So what about companies?
They have access to the latest technology and training.
How are they doing?
[00:26:40] Michelle: Ah.
[00:27:10] Michelle: Yeah.
That’s, that’s incredible.
And how long, when you said that you have been phished successfully, how long ago was that?
[00:27:19] Rachel Tobac: Um, I was phished successfully about five or so years ago.
[00:27:39] Michelle: Oh, absolutely.
We know this from Google’s transparency report about phishing.
And there were 300,000 plus new suspicious COVID-19 websites spun up in March alone.
[00:28:20] Michelle: I’m really happy you’re on this side of the good guys.
[00:28:22] Rachel Tobac: Me too.
[00:28:23] Michelle: ‘Cause you would be a really good bad guy.
[00:28:26] Rachel Tobac: I hope my job becomes really, really hard one day.
Who wouldn’t say, wow, I’m very interested in that.
[00:29:28] Frank Abagnale: Exactly.
[00:29:33] Frank Abagnale: Right.
[00:29:50] Michelle: …through that medium.
[00:30:39] Frank Abagnale: Yeah, I mean it’s the simplest thing in the world.
So technology certain has made it a lot, lot easier than it was 50 years ago.
[00:31:12] Michelle: Thanks, as always, Frank.
[00:31:14] Frank Abagnale: Thank you, Michelle.
Be sure to find us on Apple Podcasts, Spotify, or wherever you listen to podcasts.
For AARP’s The Perfect Scam, I’m Michelle Kosinski.
Rachel shares her knowledge of social engineering and walks Michelle through a “live"phishingscam.
AARPs Fraud Watch data pipe can help you spot and avoid scams.
