That's Life, I Swear

Interview #6 Allan Reyes & Kris Steinwender - Navigating the Digital Minefield: Scams and Spam

Rick Barron Season 3 Episode 132

Text us your thoughts on the podcast

Shownotes

The conversation explores the topics of scams and spam in the digital world, providing guidance on how to navigate and protect oneself. The guests discuss the difference between spam and scams, how scammers obtain personal information, and the importance of strong passwords and password management.

They also touch on the role of antivirus software in protecting against malicious activities and the need to stay updated with the latest security measures. The conversation emphasizes the importance of seeking help from trusted individuals and staying informed about new technologies. In this conversation, Kris and Allan discuss various cybersecurity threats and scams, and provide practical tips for protecting oneself. They cover topics such as phishing emails, fraudulent websites, AI-generated scam calls, and social media scams. 

The key takeaways include the importance of having an action plan in case of a cybersecurity incident, being cautious of suspicious emails and messages, setting up multi-factor authentication, and being aware of the tactics used by scammers. They also emphasize the need to stay informed and not be afraid of technology, while also seeking advice from trusted sources.

Supporting links

1.       10 tips on how to help reduce spam [Microsoft Support]

2.       Check Website Reputation [SCAMVOID]

3.       How to check if a website is a scam [YouTube]

4.       That panicky call from a relative? [NPR]

5.       Multi-factor authentication [Wikipedia]


Contact That's Life, I Swear

Thank you for following the That's Life I Swear podcast!!

Transcript
 
The conversation explores the topics of scams and spam in the digital world, providing guidance on how to navigate and protect oneself. The guests discuss the difference between spam and scams, how scammers obtain personal information, and the importance of strong passwords and password management.

Chapters 00:00

Introduction and Overview 03:10

Understanding Scams and Spam 09:47

Obtaining Personal Information 17:35

Importance of Strong Passwords and Password Management 20:19

The Role of Antivirus Software 24:25

Staying Informed and Seeking Help 27:43

Cybersecurity Threats and Scams 31:43

Importance of Remediation Plan 45:26

Protective Measures for Cybersecurity 52:06

Understanding Phishing Emails 54:31

Identifying Fraudulent Websites 56:23

Balancing Support and Boundaries

 

Full Transcript

Rick Barron (00:00.492)

Hi everyone, I'm Rick Barron, your host, and welcome to my podcast, That's Life, I Swear. 

So, is it just me or does it feel like we're forever dealing with scams or spams from every direction on the internet in our mobile phones? 

I mean, there's robocalls, phishing emails, scammy text messages, and now to make matters even worse, we now have AI in the picture being used to produce even more convincing tricks such as phony bank calls. 

I mean, the line between legitimate and fraudulent is more confusing than ever. Fortunately, today, I have two individuals who will provide guidance on how you can navigate this digital minefield. 

My guests today are Alan Reyes, a senior program manager for data protection, privacy and security at Cisco. 

Secondly, I have Khris Steinwinder, a strategic security risk manager, also at Cisco. 

During our discussion, we'll touch on such items as best practices to protect personal information, steps on how to block spam, and what to do if you click the suspicious link by accident, and more. So that said, please join me as I have my conversation with Alan and Kris. 

Guys, welcome to the show.

Kris S. (01:29.656)

Thank you for having us.

Rick Barron (01:30.941)

I've been looking forward to this, so if I could ask each of you, maybe Kris, you can kick it off. This kind of do a short introduction of who you are and what are you doing today and go from there.

Kris S. (01:45.1)

Yeah, my pleasure. So my name is Kris Steinwinder. I've been in IT for my entire life and only recently got into security in last five to seven years. Currently involved in one of our engineering organizations here at Cisco looking at security, privacy and risk as applications or new services are being developed.

Rick Barron (02:01.807)

Great. Allen?

Allan R (02:04.434)

Hi, Alan Reyes. I, as you indicated, have been at Cisco for maybe, well, I've been at Cisco for quite a while, but doing data protection and privacy for maybe the last 10. A lot of the focus has been on governance, meaning setting up processes to protect our customers and employees, company and personal data. A lot of it also extends to the kind of industry learnings that we'll be sharing with here today and actually is more applicable than just to a corporate environment. It can be helpful on a personal level; it can help a family. And so, some of these best practices and due diligence, I hope will help some of your audience.

Rick Barron (02:46.753)

That's great to hear. Well, looks like I'm in pretty good hands here with you guys. So, let's start off with some basics. Let's start off with a definition. I'm sure a lot of people are still kind of confused out there, particularly seniors, if you will. What is the definition for spam and scamming? I what's the difference between the two? Who wants to take that one?

Kris S. (03:10.598)

I'll roll with it. So typically, spam is an email or a message that's just trying to sell you something whereas a scam is really trying to extort something from you where they're offering you something that's too good to be too good to be true and they're really trying to get at the end of the day money from you because they know you have it.

Rick Barron (03:29.069)

Right. Now, how would one get that? Would it be mainly through email? Could it be through your social media account, maybe Twitter, Instagram, Facebook? All the above, huh?

Kris S. (03:41.07)

all the above. So, email, text message, Instagram, Facebook. Really what they're doing is they're sending out a lot of attempts and they hope that someone bites on and nibbles and then they take the next steps from there. Typically, in a scam or something where they're targeting people, they may have more information on you already from another data source, public records, a data breach, something like that where they know you Joe Q user.

I live at this address and they have worked for this company where they can start crafting a message to customer teller to you because they want you to believe that they know you. They want to garner your trust before they take that next step.

Rick Barron (04:13.242)

Right.

Rick Barron (04:24.047)

So how did these guys do this? mean, do they just sit there and just collectively just start scanning various emails or even phone numbers? mean, how did they do this? Where did they get this information? Any idea how that might happen?

Allan R (04:41.084)

So, I'll take a stab at part of that. So, the idea of a spam is they already have an idea in place, a system in place where they're looking to scam individuals, right? So that's how you interchange those words. Spam is the, it's like throwing a giant net out to catch fish, right? Which is another term that we'll probably touch on later. But so, spam is they just send this thing out.

Rick Barron (04:44.153)

Okay.

Allan R (05:10.17)

Now, where did they get the information? Well, unbeknownst to a lot of folks, the use of any goods or services provides your information to public record and or data brokers. And what a lot of these folks can do is they can actually get your information similar to getting other marketing information from you. You know, how does Target know to send you flyers? 

How does, you know, how do the people who told call you about buying your house. Where do they get that information from? A lot of your information is within the public domain. And so, what these scammers will do is they will send spam to just all the different areas that your information is public, hoping something catches. That's generally speaking what happens is they have this technique where they will send something that seems like it will catch your eye, and they just send it blindly to these public pieces of information that are out there. 

And there's sometimes not much you can do with your information being in the public domain. Your name is in voter registration records, your name is in property records, tax records, depending on your jurisdiction within the United States, a lot of information that you just can't help are within the public domain. They know this.

And so that's how they arrive at a lot of your information. Now there is more specific stuff that you might've heard terms like the dark web. Well, some of these information brokers, you know, are all on the up and up. Some of the people that deal within the dark web or these other domains are not on the up and up. And what happens is they, they hack other companies, right? You might've heard data breach be a term used? Well, there will be a data breach at a public company, at a hospital, at a whatever, and then they get more specific information about you. And what they do is what they call a spear phishing attack. So, versus the giant net that they send out, hoping someone catches, they call it spear phishing. It's much more targeted. And now I know Kris works at Cisco. 

I will venture my spam so that I sound like I know Kris. Hey, it's me, I'm from Cisco. Remember me? We used to do this. Can you please click on this link to donate to my cause? Now he thinks it's coming from someone who may have been a peer of his because I have a little bit more information and that's considered spearfishing and that happens as well.

Rick Barron (07:54.671)

So, I've heard the term SIM swapping. Does that tie into what you're describing, how they would get a hold of you, like get a hold of Kris and saying, we've talked before, I'm here to offer you something? Or is that something completely different?

Allan R (08:08.497)

So, the way I interpret SIM swapping is when you have a mobile device or something using wireless, you have to have a SIM card. And SIM swapping is you're moving your information from one device to a different one. So, it's keeping what your information is and you're moving it to a new device. But what I think that you're touching on is within the context of SIM swapping is actually called number spoofing.

Rick Barron (08:29.647)

Hmm.

Allan R (08:41.776)

Right? Or they spoof. Now that's another, you can call it a technical term, but in reality, it's pretending to be somebody else. So, I've actually had situations where I had a number calling me and it was my own number. So, somebody was pretending to call me as me. I never, I didn't pick up the phone, but you can get a number that looks like it's calling from a legitimate agency, person, individual, but it's not really them. And it is really something to look out for because technology allows you to do that.

Rick Barron (09:18.167)

Right, so going back to what you said that the information is in quote unquote the public domain. So unbeknownst to us, it's like it's there for the taking. I mean, if someone is, you know, I don't know how these guys do with this. Get this information wouldn't accompany the say target who has this information.

Have the means to understand that hate someone here is prying into our servers, if you will to get this information, so we have to block them. I mean, there's something like that. Is that in the works or does that, do they can prevent someone from doing that?

Kris S. (09:59.05)

It's, so the companies are out there doing it already. One of the problems though, when there is a data breach, once the data is exfiltrated from whoever the target was, it's gone. It's out there in the public domain. So yes, a company will respond in whatever their incident response procedures are, but basically the data is gone. So with the data being out in the public domain, they can then use that to target people to what Alan was talking about, where one of the common scams you see right now is you'll get an email

Kris S. (10:27.128)

Hello, Rick, I'm, you insert random name here. I know you once used this password and there'll be a password there that you recognize from a website you used in the past. So what they're doing is they're using a data breach where your password was compromised before and using it to try and garner your trust. And in the case of a lot of these scams, because they've got your name and they've got a previous password, they're trying to extort you for Bitcoin and saying they've got nefarious materials on you.

Rick Barron (10:54.437)

So, when you see something like that appear on your computer, I think you even said, Kris, take a deep breath. But what should one do? mean, who would they contact? Or do they contact the vendor that's appearing on that email, if you will?

Kris S. (11:15.31)

Typically, there won't be a vendor on it. It'll be some anonymous email address somewhere. Just trying to gain your confidence. The first thing I would do is try and remember where did I use that password last and then change it. And then definitely make sure that you're using one password per one website, not the same password across multiples. Then I typically, I would just delete it. mean, with the quantity of these that come in, I would just throw it the trash bin and then move on about my day.

Rick Barron (11:35.745)

Mm

Kris S. (11:44.866)

I think the only time I would look at reaching out to law enforcement, the FTC or some of the government agencies out there is if I've happened to fall for it. If I saw an email, hey Kris, this was your password at one point, and then I actually sent them money only to turn out that there was no legitimacy behind this. Then I want to go and talk to my local PD, the FBI, whoever to say, I've actively been extorted and this is what caused that to happen. 

Rick Barron (12:09.009)

Right. Well, I know there was one time I received an email from my bank that I have my credit card with. And I looked at the text. I looked at the banner. mean, it just looked so legit, but something in my gut said, why doesn't this look right? And they even had a phone number on the email. So, I looked at my credit card because there was a number there. I looked on my bank statement or my credit card statement, checked the numbers that they provide, and it wasn't even close. So, I thought, okay, this is not legit. So, at that point, I did contact the bank, explained them what I was seeing, and they said, you did the right thing by calling the number that's on your card or on the bank statement. If you ever see something like that again, never, never call that number because at that point, they gotcha. 

Allan R (13:15.471)

Well, I add what you just said is the techniques that they use to spam folks to Ultimately scam folks. They're getting pretty sophisticated. If you did happen to call the number you might get an individual who's very well versed on the kinds of things that would alarm you to the legitimacy of their claim they could have additional information. Do you live at this address? Is this your phone number?

That's information that again, they exfiltrated previously that they use to try to legitimize what they're going to say is a problem that you need to act on very quickly. And the steps that you just mentioned are very important. You have to have this ability to verify whether something immediate has happened. So, if you see a notice that says, you know, you have real bad bank something.

Okay, can you find a way to access your bank information without clicking on their link and without calling back on their phone number? So, it could be on a separate device. Let's say you saw that email on your laptop. Can you access your bank information from your phone to see whether or not your money is still there? Right? And in order to do that, again, don't use the thing that you got contacted on.

You have to use the legitimate bank website or the legitimate bank phone number. And you do that by looking at the back of your card. It has the real website there that you have to hand type in. It has the real phone number there that gets you to the corporate number. And I've done the same thing as you. Hey, I just got this thing that said something happened. Do you see any alerts on my account that show fraud? And they'll say no. And they'll say, how did they contact you? What information did they have?

Rick Barron (15:00.402)

Mm

Allan R (15:10.328)

And they themselves also try to curb this type of behavior, what's within their power though. But the key of it is you cannot contact how you were originally reached out to. You might even get a text message on your phone that says these very alarming things, click on this link to open a case with us. At that point, like you said, they gotcha. You click on the link; you've installed some kind of malware on your phone.

Kris S. (15:44.27)

I think I'll expand on what you saying is, call the phone number that's on the card or on the materials that they've mailed you or physically mailed you. Don't go to your favorite search engine and search for your bank name or whatever company you're trying to contact because they will take out advertisements on those websites and say, we're XYZ Bank Company, click here for support. 

In reality, it's not the bank, it's the malicious party taking out those ads on the search engine and search for your bank name or your time contact. Because they won't take out advertisements on those websites and say, we're tax -wise bank company, we're for support. In reality, it's not the bank. 

It's the taking out those ads, to take advantage of you for not actually using what's on the physical part, using the computer trying to take advantage of you for not actually using what's on the physical card, but using the computer to try and get that information.

Allan R (16:19.556)

And you can click on a link and they can even set up, this might be alarming, but they can even set up a dummy website that looks exactly like the bank. It'll look exactly like it and you won't even be able to tell based on the address that you see in your bar. You won't even be able to tell that it's not. So that's why I recommended information that is on the back of your card. has what the real URL is. Go somewhere else.

Rick Barron (16:29.187)

Hmm. I've heard of that.

Allan R (16:47.588)

Open up your own browser, hand type the information in, you know, or better yet, call the phone number so you can feel a little bit more comfort talking to a live individual. But again, it's the phone number based on the back of your card. You know that one is more legitimate than any other resource you have.

Rick Barron (17:05.733)

So, we've mentioned something along the lines of such things as passwords. I mean, how important is it to have what they call strong passwords? What does that mean? It probably sounds obvious maybe to us, but to those who hear that term but they're not sure, then I've also been told that it's probably in your best interest to periodically change your password. So, who would like to take that one on?

Allan R (17:35.462)

Go ahead, Kris.

Kris S. (17:35.566)

Yeah, I'll go for it. So, the key with passwords is as computing power gets more powerful as time progresses, it gets easier and easier to crack shorter passwords. So, you don't want something as simple as password 123. You don't want your last name with like a number on the end. You actually want something with some meat to it, some length to it. There are a few trains of thoughts here. You can use something called a password manager. 

It obviates the need for remembering the passwords. It's one password and the password manager actually scores them all for you and generates them for you, makes it really easy. You go to website; you click a button and feels like you're using a password. If that's not something you want to use, start thinking of past phrases. So instead of just one word and a number, that might be eight or 10 characters, think of a phrase that would go into that box. The fox jumped over the fence or my cat did that. 

Something more of a sentence, because that makes it longer but also more memorable. The key with passwords as well as changing them is making sure you're also using them only on one website at a time. So, if you use the same password across 10 websites and one of those websites gets breached or crapped and your password is exposed, whoever has access to that data now can then use your login across all those 10 websites where you used that password previously.

Rick Barron (18:54.767)

Got it. Allan, you have anything to add to that or?

Allan R (18:59.442)

Well, I was just going to add that with what Kris said, using the same password across different user groups. The technology is so advanced that they can write what's called a script. And they could just try it out there to see what combination of username and password works across these very many different domains. And if you use the same one across something, they're likely to hit.

It's really just a best practice to have different ones, especially for sensitive accounts like banks, credit cards, financial, healthcare, know, those kinds of things anywhere where they can exploit money from you. It's best to probably have a different password per each of those.

Rick Barron (19:49.465)

Right. So, if someone has their computer impacted, people say you probably need to get it down to your local, you know, computer department, say like, you know, Geek Squad, if you will, have it scrubbed and cleaned. So, you've done that. But what types of anti-virus software could be recommended for people to say, look, you didn't do it the first time, but now you need to do it because now you've been hit. 

So here are some recommendations of why you might want to use this type of software and should you just go through a reputable. store per se, rather than going online to download such software.

That's kind of a loaded question there.

Kris S. (20:38.318)

Yeah, typically, especially in the Microsoft world, Microsoft Defender comes pre -installed with Windows 10, I believe Windows 11 as well. That's a good baseline to start with, the vendors actually providing it. You can go above and beyond that with like, Norton, Inovirus, Malwarebytes, which is something I personally use to add just an extra layer of protection. On the Mac side of the house, there's things like Clam AV and things that you can install to help you in this space. 

A lot of these packages now they're not necessarily looking at viruses or marrow per se but they're making sure that you're not connecting to a fraudulent website so you want something that will integrate with the web browser to say hey yes I've actually gone to www .bank .com and you've actually typed in the correct URL this isn't nefarious conversely if you go to a website that is impacted or fake it'll actually pop off the screen and protect you from actually going any further

Rick Barron (21:11.375)

Hmm.

Kris S. (21:29.326)

So, it acts as like a middle word to say, yes, you've clicked on the correct website or no, you've clicked on an incorrect website. And then it may actually go a step further. And if you go into the incorrect website and that website's trying to do something bad to your machine, like download malware or something like that, those software packages would typically block that from occurring. The key there really though is, you we get bombarded with messages and we just click, okay, we click, okay, we just keep going through it thinking we're not doing anything wrong.

Kris S. (21:56.77)

You want to make sure that if you're using a package like this and it says, hey, this website is bad. This website is nefarious. You don't click the button from the get go. You actually look at it and you read it and you understand. So, you know, no, I don't want to proceed. You know, you actually take into account what it's trying to warn you of before blindly hitting. Okay.

Rick Barron (22:14.37)

Right, wow.

Allan R (22:15.504)

And then what I will add to that is exactly what Kris was saying. This act as a, we'll call it a concierge to curb activities that you may or may not have known that you might do, right? Bad website. Sometimes it does scan your repositories and finds whether you've downloaded malware. But another key to that is if you do have some of the software, it's allowing to get to the latest version of the software that's installed within your system.

So, you the defender, the McAfee, the Norton, there's always new kinds of viruses and workarounds that the bad guys are on top of. And the reason for this software is it's providing you a value add. So, they have to stay on top of whatever the new attacks are. And so, you have to make sure that you're maintaining the latest revisions of things, because it patches up vulnerabilities that are found. It adds new sometimes capabilities that are needed based on the latest revisions of bad stuff going around. And so, what was not a threat before might be a new threat uncovered by researchers. 

They put it in the next revision of that software. And usually your subscription is, everything's subscription now, but usually your subscription is good for a period of time. And if you have it available to load, it's best to stay current because you know, companies are trying to do their due diligence and patch stuff. And so, you want to be part, you want to participate in the patching or again, the newest and latest and greatest will get you simply because you're defending against old stuff, but not new stuff.

Rick Barron (23:57.743)

So, from what you guys have been sharing, this is great information. We appear to be living in a world that don't matter what we do, the bad guy is always going to try to be one or two steps ahead of us. So, this seems to be an ongoing cycle. just, I don't know, how does one, how does a typical individual keep up with this? Because sooner or later, they may not say, you know, I’m not going to do any more upgrades to my security software. I just can’t afford this anymore. But I think in the long run, guess if they don’t do that, it’s going to be worse off. But what are your insights as to how does one just keep up with all this? Because I mean, these guys sound very good at what they do.

Kris S. (24:49.94)

Think the first thing there is find that trusted person in your life, niece, nephew, grandson, granddaughter, that technical person in the family. And first, get them a six pack or something because you're going to be leveraging their services quite a bit. you just ask if you can borrow their assistance. Ask if you can own something by them. if can, if you get an email or a text message, if you can verify with them that this seems legitimate.

Kris S. (25:16.076)

Don't try to pick up the technology and understand it completely yourself. You'll drive yourself crazy. But find someone who geeks out over it who might say, yeah, that's obviously spam, just don't eat it.

Rick Barron (25:26.846)

Alan, what are your thoughts?

Allan R (25:29.292)

You know, I think the biggest one he said is trusted individual that has the cycles and, and affinity to be able to help you. You know, when I call Kris, he doesn't pick up the phone anymore. No, I'm kidding. but you know, no, but, what I, what I really do mean is, you know, I, I know Kris, I don't know if that was mentioned in in the introductions, but I know Kris and I know he has a, you know, a certain aptitude sometimes more so than me. So.

Kris S. (25:41.258)

I was using your phone number.

Allan R (25:57.412)

I will call and double check my information. Hey, I got this. What do you think? What should I do? Right? We can never believe we know everything. And so, it's really important to sometimes, you know, be able to have a trusted individual that you can just say, hey, look, I need another set of eyes on this. Does it look like what I think it is? What are the next steps do you think I should take? And then move forward from there. 

But what you can't do is be afraid of new technology and new because that's where we're moving anyway. I once had an individual that was trying to look for a physical media because that's the only way they thought they can get software. They thought that downloading the software from a site was too risky and I can't get the new virus software because they only want me to download it.

Rick Barron (26:30.018)

Mm

Allan R (26:53.616)

And I said, well, if you're only looking for physical media, good luck, because most companies don't have that available anymore. You just have to be okay and have a strong enough internet connection and go to the legitimate website. And that's the only way you're going to get it these days. Right. So.

Rick Barron (27:10.039)

Right totally agree, so go ahead Kris

Kris S. (27:12.632)

So, I'll give you an example there. So, I'm a trusted advisor to a few people in my life, friends, family, things like that. And I got a phone call from Juan one day, know, Kris, I got an email from a certain reputable vendor here saying my subscription was up. I thought I had a subscription with them. Turns out I didn't. What did I do? So went to their house, took a look at the email that came in and had the logo of the vendor, had their name, what the subscription allegedly was.

And then that family member said, okay, I clicked on the link they sent me and the screen went blank. And then I immediately pulled the network cable out. Okay, good. I'm glad you disconnected it. So, when I actually went into the machine and started looking at what the other person was doing, they were going into their internet history, trying to find bank accounts, bank information, bank statements. 

They were also using the window search capability to look for like 10 W, looking for tax information. They were looking after for personal information against this individual to try and take off their personal machine using an email of a legitimate vendor that unfortunately was a spam email from a get -go.

Rick Barron (28:22.585)

That's frightening. 

Kris S. (28:25.634)

And then at the end of the day, rather than try to remediate that computer, we actually blew it completely away. We didn't know if they installed anything nefarious, if there was something left behind. We made sure we had a backup of what was crucial to this family member and then we installed Windows.

Rick Barron (28:42.807)

Okay, so with everything that you and Allan have been talking about, how does AI now come into the picture here? I mean, what potential nightmares could someone face, whether through, you know, getting a fake phone call, you know, like Allan could say, well, was that Kris that just called me? You know, what potential hurdles are people going to be facing down the road? Because it could make it could make it looked like what we're facing today. Okay, that's an easy fix. But now you throw AI into the mix. Now what do I do? Who do I call? What does one do now?

Allan R (29:24.85)

Well, I was going to say, one, we shouldn't necessarily be alarmed by AI. There are capabilities and transactions and speed that AI will offer in the future that you don't have today. It is a tool that could be used for exploitation, but also for benefit. just the term AI, I'm going to just say, should be taken in hand with additional advances in technology.

Kris S. (29:25.42)

Yeah, I don't think.

Rick Barron (29:27.727)

Go ahead, Alan.

Allan R (29:53.606)

But having said that, my key is understand the steps that you need to take for remediation almost no matter what happens. What can you do and what can you prepare for if something happens through no fault of your own? And it could be through technology on the internet. It could be at your gas station. I'm not sure if you're familiar, but

There are people that put hardware on top of the card readers at the gas station. They're called skimmers and They clone a copy of your card straight from the gas pump with your physical card you insert it You think you just got gas it seemed like everything was all on the up and up But you didn't realize they had a card skimmer that made a copy of your card and then now you get home You start suddenly getting alerts that all these charges started piling up on the card that you just used at the gas station.

Again, fraud can happen in very, very different ways, but what do you do next? Right? So, what you do is you have a set of phone numbers for all the goods and services that you use so that if any of these come up, that you have an immediate, what is it called? 

An immediate phone number that you know is actual, like the legitimate phone number that you can call and start to alert them to the fraud that's happening against any of those particular accounts. Right? So, if it's a credit card, have the legitimate phone number available immediately. You can call them and place a hold or place an alert. you know, they have a playbook that they utilize to take next steps in regards to your fraud. When did you start seeing it happen? 

They flag all the fraud that has occurred so far so that you will not be subjected to it. Most cards now do not hold their consumers liable. They get a new card in place that has a brand-new number that they will put in the mail for you. Things of that nature. Same thing with your bank accounts. They can start flagging transactions that were not legitimate and so forth. So having your remediation plan when it does happen is an extremely important thing for folks to get comfortable with because

Allan R (32:12.124)

Frankly, sometimes it's not a matter of if, but it's a matter of when and how quickly can you mobilize and start remediating these things that have happened. And I'm sorry, Kris, I cut you off.

Kris S. (32:23.222)

No, I was actually going to take a little bit before that. So, one of the common scams right now is targeting senior citizens and grandparents. And it's called the Grandparents Scam. I think it's out 
 on ftc.gov where the individual will get a phone call in a muffled voice purporting to be that grandparent's grandson or granddaughter. And this happened to my father -in -law. He got a phone call, someone claiming to be my son and the voice didn't sound quite right and was leading on my father -in -law and finally my father -in -law said you know what the voice doesn't sound right I don't believe this and hung up on the individual. 

My father -in -law's next step was to immediately call my brother -in -law versus the parents we've since corrected that but when he called us he finally realized you know my son was fine there was nothing going on he wasn't in the hospital and I said to him I says you know this is a common scam after we hang up you're gonna get another phone call or two with him trying to obtain money you're gonna hear the same voice they're gonna trying to extort you for whatever, you know, the scam is behind the scenes. 

I say, no user, call our ID. Unless it's our phone number or it's someone you trust, this isn't legitimate. Then where this is going sideways, especially with AI is when those scam calls come in, they're using AI voice generation. So, it actually sounds like the individual calling you. So, it could have been my son had it been AI generated and he could have fallen for it because he knows what my son sounds like.

Rick Barron (33:31.853)

Hm.

Kris S. (33:49.062)

The key there is when something feels fishy, start asking questions. What was the last book we saw together or read together? What was the last movie we saw? Or even in person, set a safe word up. So, say you get a phone call, something doesn't sound quite right, and you set that safe word, ask for it. And if you don't hear it, know that whoever is on the other end of the phone isn't the actual person they report to be.

Rick Barron (34:17.197)

Alright.

Kris S. (34:17.658)

And actually, I had an ophthalmologist, they had a family member that I got a phone call from someone that sounded like someone else. And when the conversation took an attuning that didn't quite make sense, that's when they figured out that it was AI generation at the other end.

Rick Barron (34:33.007)

That is amazing. I know my wife and I were looking at an AARP webinar where the person was talking about such things as what Allan was saying in regards to skimming at gas stations. But in every sequence, he was showing pictures like an ATM.

And he said, to look at this photo and everyone just kept looking at it and he said, okay, now let me focus in on it for you. And as he focused in right in the upper right -hand corner was this very thin device that somehow someone was able to attach painted it the same color as the trim. And thereby when everyone was putting in their card, they were capturing their information. So, it was so subtle that I know the next time I went to the ATM, I actually went up to the machine. I just started rubbing my hands around the rim, but it makes you think, you know, sometimes you just think you're safe and someone does the most obvious that's right in front of you and you get caught. 

Allan R (35:40.262)

Well, so I do want to combine the two things that you just said. The first one is Kris's with AI and the ability to fool folks. And the second one with you, Rick, is that people who want to get access to your money, even though they're not supposed to, will go to great lengths. So, they'll use technology like Kris's. They'll even use older technology like you were talking about, cameras and ATMs, but the, the, the piece to avoid both is knowledge and preparation. So, you being aware that this happens, inspected the perimeter the next time you went. Kris's on the other hand, you know, you can set up some system. he uses safe words, but, there's other ways you set up a system to know that the conversation and information that you're sharing with who you think is legitimate.

Is it actually legitimate. Right? That's the key is preparing or one understanding what threats are out there and preparing mitigation steps. So that way you're prepared in case you question the validity of what you're trying to do. So, I'll piggyback on what Kris said with the AI thing and with people trying to extort money from individuals. They also really, really try to make it seem urgent.

The urgency is the key to making you do something that otherwise you would have better judgment on. It's the exercise of this is so important and time is of the essence. You need to act now versus using your normal sense to realize this would never really happen. Right. And so, if you plan it out in your head that you have these contingency steps, instead of panicking and haphazardly reacting to this, you know, faux urgent matter, you already have a system in place to verify, am I going to be doing the right thing? 

Because I planned in this in advance and I know to double check using these already planned steps. I think that's extremely important because the fraud folks, that's really what they seize on. They seize on your fear and they seize on your unpreparedness.

And they use information that seems likely, either a likely voice, a name that you're familiar with, a place of business that you're familiar with. And they put together these really, really intricate scenarios to try to build your trust and make you act in a very abrupt manner. And that's the only way they're really able to be successful because when put into a bind, then what are you going to do? Right?

 You don't have a lot of time to think, but if you have pre -planned, then you don't have to think. You can already act on your playbook that you've set up. You know, we talked about a whole bunch of books, having phone numbers, the proper phone numbers to call, having words with your associates or family that you know will confirm the legitimacy of them, et cetera. Right? If you have these things in place, then you don't have to panic.

Rick Barron (38:36.174)

Right.

Allan R (39:04.85)

Because what are those 30 seconds gonna really cost you? Not much, not much. You can double check and go to these valid sources that you've planned for and really confirm whether you need to take certain steps or not.

Kris S. (39:19.316)

And so, sorry, I say, to Alan's point there, just a real-world experience. So, my father-in-law when he was approached from someone purportedly my son, it was, I'm in the hospital now, there needs to be an attorney, the attorney needs to get funded now, we're gonna need you to send money. So it wasn't, know, that, you know, this is my son, I'm doing fine, you know, I didn't lose an arm or a leg or whatever, it's, there's an attorney, I need money, stat. That was the immediate flag for him, that, and the voice that didn't quite sound right. So yeah, there will be no immediacy for most things. When you hear it, ask questions.

Rick Barron (39:55.077)

Sure, and I think to both of your points, you know, they the first thing that these guys will do is act on your fear and they and they know the right keywords. OK, we need it now. We must have this information now. I need to have the password. I got to have it now. So first, you know, some poor souls, you know, they're going to buy it hook line and sinker and then they get sucked into it. I mean, I know my mother was getting a lot of phone calls periodically.

And she, she didn't know what to do. I said, just hang up the phone, you know? So, one day I happened to be at her house and she got a call and we both listened together. And it got to the point where, no, no. And so, I just hung it up. said, look, let me give you some tips. And when you get a call like this, and when they ask questions now for my mother, she knows she was in, in her late eighties and it was hard for her to comprehend what I was telling her, so I had to really put it in very layman terms that if you hear this type of a request, hang up the phone. 

Don't say anything more. Just hang up the phone. So, I think to that end, you know, even the best of us can get caught off guard. And I think both of you have kind of indicated it's in our best interest to try to have an action plan, so that if this happens, you do the following. And like you said, Kris, you know, just take a deep breath, stand back and then do what you know that needs to be done to address it. Because if you don't have something like that, I could see where one could just accidentally say, well, I'm going to do this as, no, no, you should have done this before. those are all good points that you guys have called out.

Allan R (41:44.57)

The one thing that I will emphasize that you just said is most of the immediate actions are predicated on some kind of fear. There is something that you're fearful of that they say is going to happen unless you act within the next 20 seconds. But in reality, nothing will be resolved within 20 seconds that means anything.

Your feedback of just hang up the phone, even if it was, you know, law enforcement saying, you know, we're going to arrest you unless you do this immediate thing that requires your Social Security number. It's not, it's not going to happen. You know, since when did anything government happen within 20 seconds, right? So, you know, don't be afraid to hang up that phone and, and, and then call your trusted friend because that's what your plan said, right?

Rick Barron (42:34.308)

Yeah.

Allan R (42:38.724)

Hang up the phone, call your trusted friend, see if this is a normal scam, see if these things even happen. Right. and again, the, the, the amount of different angles they take on fear is, is, is quite numerous, right? It could be a family member in trouble. It could be you're in trouble with the law. It could be confiscating your property. you know, you name it.

They have something that'll touch the right fear button for you. And just don't believe it. Just don't. You got to train yourself to not. You got to train yourself to look for your trusted infrastructure and go from there. And if you do that and you even plan it, it'll feel a lot healthier mentally. Because some of these things are quite alarming that they put in your head that might happen.

Rick Barron (43:36.707)

Right. Well, I know I did a podcast a while back on this individual in Minnesota. His practice was going to bars and talking to people. But mainly he would go to some of these college kids where he knew which ones were getting intoxicated and he would go up to him and say, you know, I need to make a phone call. I just borrow your phone?

And the person would say, okay, sure. Let me unlock it for you. And without them knowing it, because they were so intoxicated, he looked to see what they were doing. And in quick fashion, he pretended like he was making a call, but he was getting information off their phone that therefore then allowed him to dig into their credit cards, their banking. And he was very, very good at this. He explained to the reporter how he went about doing this

And the reporter said, well, what could a person do with someone like you who's asking for your phone? Don't give it to me. It's that simple. If you don't know who this person is from Adam, don't even take a chance. So it could happen to anyone, particularly if you're intoxicated and you even know what you're doing. It happens. It could be that simple.

Kris S. (44:57.422)

I think going into things, we've been talking about what you should do if something happens. You can be proactive ahead of time. mean, costs you nothing to freeze your credit at all three agencies right now. So, in theory, no new accounts can be opened because look at that line of credit is locked. You can set up multi -factor or two -factor authorization on the accounts where it doesn't require just the username and password to log in. It requires something else, like a message sent to your phone. 

You can also set up that with your cell phone provider passwords on that phone number so that someone can't call in and say, I've got a new phone, send me a new SIM card or walk into a location and get a new SIM card. They have to provide another level of password to prevent that from happening. So, you can.

Rick Barron (45:39.823)

So, regarding the multi -factor, do you ask, would I ask the bank to do that for me? How does that work?

Kris S. (45:47.57)

Typically, on the bank apps, what they'll do is they'll ask you when you log in, do you want to set up multi -factor authorization? And then they may have different options. It really depends on the bank. Some they will send you or they will have the option where you can get text message, passcode every time you log in. Others, they'll use your face ID on your phone and your touch ID. Others have authentication apps. It really depends on who the bank is or who that belongs to.

Rick Barron (46:14.885)

Okay, that's good to know. Well, so we've talked about the you know, the mobile phones the your computer, but there's so many other ways that people can perform these Scam acts if you will now what about the world of social media and kids today who just arbitrarily just trust anyone when it comes to like going to Facebook, I mean I read an article where one needs to be careful of even going to these type of sites because you could be looking at a very innocent video of a mother deer walking down the street with its children. And you kind of select it like, OK, I'm going to share this with my friends. 

And right away, you find out that was a very malicious video. So, it's almost like you almost have to be very careful what you trust, because it's almost like these people are working on what we know there's going to be someone out there who's going to like this video and they're going to load it. So, I think for me, social media presents a whole different facet of how scamming can happen, particularly to children.

Kris S. (47:28.854)

I say, it sounds like you could do a podcast based on just that alone.

Rick Barron (47:34.002)

Yeah, I could.

Kris S. (47:36.854)

But I think the key there is really, yes, there are going to be things out there, you rely on quote unquote trusted sites or authoritative sites where you know there's a Facebook, you know there's a Twitter or an X, you know there's this, you know that. If you're being connected to a website, something that just doesn't make sense or a character is also, it's not Facebook, it's Facebook, then certainly you're asking questions, am I seeing something that is legitimate? Are there some signs that'll be there?

Kris S. (48:03.884)

Stick to your trusted sources or what purports to be a trusted source.

Allan R (48:08.51)

I'm a little bit more conservative there and I usually, caution my family and friends that are not that tech savvy to adjust all of their privacy settings on social media so that they only interact with people they know. they have it set up where you information can, again, I'm to use that word again, public domain where everything you do via social media will go out to the public, but this is really more for people that are trying to monetize their content and so forth.

But for the most part of people I interact with, they just use it to deal with friends and family. And so that's what their settings should entail. There are privacy settings that say only interact with people that are on my list. Only take messages from people that are on my list, only share what I want to share with people on my list. 

And I really caution folks to try to set it that way because again, in the wild, there are people that are going to try to exploit, you for one reason or another and this is another way for them to put you within their crosshairs right and then like you also said this whole extra video whatnot I also caution them regardless of all the settings sometimes you still do get a random spam that seem to sneak into your direct messages or DMs as they call it don't click on any links within any any kind of dm, E\especially from ones you don't know. 

You'll get a random message that'll say like, win a hundred bitcoin and it'll just be this random URL. Just delete the message right away, especially because you know, you don't know who they are. Don't accept any messages from anyone who you don't know because why? Why would you? What information are they going to share that's meaningful in your life? Just delete it, right? Move on and use it for its intended purposes, which is to stay close to the family and friends that you don't live locally to, right? Don't fall for the gimmick. Go ahead.

Kris S. (50:07.022)

And then, sorry, I know, I gonna say that. And if you get something from someone purporting to be a friend, your dear Aunt Sally sends you an email saying she needs $25 ,000, call her up and ask, did you really send this? It doesn't hurt to actually call them and ask if this is legit or not. Because you know them.

Allan R (50:25.242)

Yeah, and because actually Kris makes a very good note because as you may try to tailor your contact list to only people that you know and trust, not everyone has done that. And so you can actually get people that spoof other people's social media and be pretending that they're them. You know, so every once in a while, I'll still get the random friend or relative that said, my social media was hacked. If you get anything from me, it wasn't from me.

And so again super important to know if aunt Sally suddenly is asking immediately for $5 ,000 to bail her out of a jail in a foreign country One probably not her but two at worst if it could have happened just call aunt Sally and say hey, are you okay? I got a request for $5 ,000 you did I must have been

Rick Barron (51:27.247)

So, I had two other questions here. was, know some folks have asked this who live on my street and honestly, I didn't have the answer right away, but they wanted to know what phishing emails entails. 

And another one, I think you called it out earlier in this discussion where you could be taken to a fraudulent website that looks like the real McCoy. Is there any way to detect whether or not I know if this is not, this is a fake site, even though it looks like it's real. Who wants to take that?

Kris S. (52:04.204)

I'll past that to you, Alan.

Allan R (52:06.32)

Okay, so I'll do the phishing one. So phishing is, and that's P -H -I -S -H -I -N -G, phishing. It's like it sounds though. It's, you know, they put bait out there, which is in the form of an email, text message, some sort of a direct message chat on a social media channel of some sort. And they put the bait of some information that might be familiar to you.

Rick Barron (52:13.656)

Okay.

Allan R (52:33.73)

And that's the bait and they want you to click on something which will potentially send you to one of those fraudulent websites that you just talked about, install malware, get you on the phone, know, hook you, right? And that's what phishing is. Phishing is a directed attack to you based on something that may seem familiar to you in one way, or form. And then they'll do that blanketly.

And then they also have something called spearfishing, is when they have a little bit more information, they try to do the same thing, but they try to put a little more information specific to you to increase the idea that it's legitimate. And like you also said, it gets all these other forms of fraud. Nothing is ever that urgent. Feel free to delete. So, if it's on email, if it's on tech, if it's on social media DMs,

You don't know this person, you didn't ask for this thing, just delete. You don't even need to open it, right? If you weren't expecting it, don't open it. Because if it's a bank, the bank might send you something in the mail, right? They have to, there's formal ways for them to contact you about something urgent. A text message is really not it. So, feel free to delete and, you know, check it through legitimate sources if you are concerned.

Rick Barron (53:45.701)

Hmm.

Rick Barron (54:02.415)

Good points.

Allan R (54:02.802)

In terms of the website, I'll let Kris expand but like he mentioned a lot of the software and You know malware protection. They'll let you know, you know, this website is not legitimate It'll be a big flag, you know pop -up box. You're in the wrong spot. Don't move further Well for the most part the way I Recommend avoiding it is don't click on links to get to your websites

Rick Barron (54:22.691)

Right.

Allan R (54:31.684)

It's never really a good idea. It's not much time savings anyway. know, have them within your own bookmarks, hand type them yourself, but don't click on a link. You're not gonna get a link from a bank that says click here. They know that this fraud is out there. They're not gonna do it. So you shouldn't click on them. You should in fact hand type them yourself or go to your safe bookmarks instead.

Rick Barron (54:55.0)

Right.

Kris S. (54:55.328)

Was going take advice from Alan in my response there anyway. Right under their phone number on the credit card that you have, that you speak on, is probably their website. Just type it in and bookmark it from there.

Allan R (55:04.956)

Yep.

Rick Barron (55:05.997)

OK, so listen, we've covered a lot of ground here and I really appreciate you guys taking the time and they resist so much information to absorb here. And I think those who listen to this conversation there will have learned a lot. think for me that the biggest factor or the biggest piece of information I found very intriguing was to do the obvious just to have an action plan. You know, I have something of an action plan, but not to the to the depth that you both identify and you would think it wouldn't take long to pull that together, but just to have it at the ready. that way it, God forbid it does happen. You know how to react and react in a way that you don't make it worse than it already is. So, but in the years that you guys have been in this business, you've learned a lot, you've seen a lot. 

What closing thoughts, would you like to leave with the audience about what we have covered today? Kris, I'll let you go first.

Kris S. (56:11.406)

I think this is coming more from a personal spot for you. For those trusted advisors or those people, you turn to, don't burn them out. You know, especially if they work in this industry, they see it all day long. They don't want to go to a Thanksgiving dinner and be bugged by, I clicked on this or I want to buy that. Just give them some space and recognize that, you know, they only don't, they don't only want to hear from you when something is going wrong. They wouldn't mind the occasional hello too.

Rick Barron (56:37.647)

Sure, good point, very good point. Allan?

Allan R (56:42.45)

Mine will be to actually, one, have that trusted advisor, but two, to not be afraid of technology. The more you learn, the more you can plan. If you kind of defer in a shy away and not be knowledgeable, that's how you can be exploited because of your lack of knowledge. So, try to learn, try to be aware, ask questions, it's okay, right? And the more you know, the more you can set up your plan of action if something does go awry. And you won't be panicked because you'll be familiar and know what to do.

Rick Barron (57:23.983)

Good points. Well, those are all good points from both of you. So yeah, be prepared, be prepared. So, listen up. Yeah. So, listen, I want to thank both of you for taking the time and providing some very in -depth answers to the questions I threw at you. I think the audience is going to take your insight and apply it in their daily lives. And I hope, you know, I'm sure they have learned something here. 

So that said, for further information regarding this interview, please visit my website, which you can find on Apple Podcasts. As always, I thank you for the privilege of you listening and your interest. Be sure to subscribe here or wherever you get your podcasts so you don't miss an episode. And we'll see you soon.