Is this the real life? Is this just fantasy? A company in Hong Kong suffers a sophisticated deepfake duping, be one your guard from pig butchers as Valentine's Day approaches, and spare a moment to feel sorry for poor ransomware gangs.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Lianne Potter from the "Compromising Positions" podcast.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- ‘Everyone looked real’: multinational firm’s Hong Kong office loses HK$200 million after scammers stage deepfake video meeting - South China Morning Post.
- Countdown’s Rachel Riley is deepfaked by HSBC - Vimeo.
- Scameter - Cyber Defender HK.
- Warning as scammers fake police Scameter app - The Standard.
- Ransomware payment rates drop to new low – now 'only 29% of victims' fork over cash - The Register.
- New Ransomware Reporting Requirements Kick in as Victims Increasingly Avoid Paying - Coveware.
- Romance scam reports rose by a fifth in 2023, says Lloyds Bank - The Independent.
- What is a ‘pig-butchering’ scam – and why is it on the rise? - BBC.
- Pig butchering mining scams: What they are and how to stop them - SC Media.
- No love for romance scammers in 2024 - Consumer Advice.
- Romance scammer reveals how he tricks women after failing to fool Go Public reporter - CBC.
- Sudoku Exchange.
- Learn Improv at Laugh at Leeds.
- Mr Mercedes - Disney+.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get 10% off!
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. Why is it always the people in the finance department who are getting targeted by the scammers? I wonder why that might be.
CAROLE THERIAULT. Really? Do people ask that?
GRAHAM CLULEY. I think—
LIANNE POTTER. Really? It's just one of those great life mysteries, isn't it? You know, why would they aim for such a target?
CAROLE THERIAULT. Why?
UNKNOWN. Smashing Security, Episode 358: Hong Kong Hijinks, Pig Butchers, and Poor Ransomware Gangs. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 358. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And Carole, we are joined this week by somebody new, somebody who hasn't been on the podcast before. Great pleasure to invite them to the show, Lianne Potter of the Compromising Positions podcast.
LIANNE POTTER. Hello, thank you so much for having me.
CAROLE THERIAULT. It's great that you're here.
GRAHAM CLULEY. Yeah, now Lianne, Compromising Positions. What's that about?
LIANNE POTTER. Yeah, Compromising Positions, protecting your assets, big emphasis on the ass of assets, never leaving you exposed. We're a new podcast and our aim is to interview non-cybersecurity people about cybersecurity.
So it's kind of part therapy session, part deep dive into how do we do things better. So basically every week I get someone in from a non-cybersecurity background. Every week we have a different topic. I have lots of really nice takeaways for people working in cybersecurity to take away and make their security controls actually work, which is what we really wanted to happen.
CAROLE THERIAULT. I think that's a really lofty goal and a good one.
LIANNE POTTER. I think I can hope so. Yeah, it's been really great. I've had some really fantastic people, some sort of personal heroes of mine on the show already.
So yeah, the reception has been great. We were big in Denmark for a week. Don't know how, don't know why, but for a week in Denmark we were charting in the top 20.
CAROLE THERIAULT. Well, they're people of taste.
LIANNE POTTER. Talk, Denmark, talk.
CAROLE THERIAULT. Let's thank this week's wonderful sponsors, Collide and Fanta. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm going to be discussing what could be a case of Hong Kong phooey.
CAROLE THERIAULT. Okay, that gives a lot away. What about you, Lianne?
LIANNE POTTER. I've got a real sob story for you here. Ransomware gangs, unfortunately, they are feeling the pinch just as much as we are.
CAROLE THERIAULT. Okay, and I'm going to be looking for love in all the wrong places. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, I've got a question for you, and it's this: is this the real life? Is this just fantasy?
CAROLE THERIAULT. Why are you ruining a classic?
GRAHAM CLULEY. Caught in a landslide. No escape from reality. I won't do any more.
CAROLE THERIAULT. Thank you.
LIANNE POTTER. Appreciate it. Yeah.
GRAHAM CLULEY. Thank you. Let me take you by the hand and lead you through the streets of Hong Kong, where a multinational firm has, well, one of its many offices all around the world, but they've got a significant presence in Hong Kong, shall we say.
And we are told that a massive fraud has recently taken place. According to Hong Kong police, a company has lost 200 million Hong Kong dollars. And for those of you not familiar with the exchange rate, that's about 25 million US dollars, or in British pounds, let me work that out. That's about 900 billion at the moment. So it's a lot, it's a lot of money. After one of its staff fell victim to a scam. Now, this particular employee worked in the finance department at this Hong Kong branch of this big multinational.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And you may be thinking, well, you know, people may ask, well, why is it always the people in the finance department who are getting targeted by the scammers? I wonder why that might be. Really?
CAROLE THERIAULT. Do people ask that?
LIANNE POTTER. Aren't they generally so just one of those great life mysteries, isn't it? You know, why would they aim for such a target? Why? Why, Graham?
CAROLE THERIAULT. Why?
GRAHAM CLULEY. Because that's where all the money is, of course. So that's where all the money is. So that's where people are targeting. If they were after data, if they were after information about your personnel, then they might go for the HR department. But if they're just strictly after the money, why not go to the finance department, particularly in these days of business email compromise and CEO scams and those sort of things? It's not that uncommon.
So in the middle of last month, in the middle of January, this person in Hong Kong received a message from what they believed was their UK-based CFO, the Chief Financial Officer, asking them to transfer some money. Now, you know, instantly we have multiple alarm bells going off.
CAROLE THERIAULT. Well, I don't know.
GRAHAM CLULEY. No, no, really?
CAROLE THERIAULT. Like, if you're used to getting those, right? Like if it's a normal occurrence that the guy goes, throw 10K into this account pronto, chop chop, like, you know, you wouldn't bat an eyelid if he made that request.
GRAHAM CLULEY. I would like to think in many organizations, there may be more of a procedure rather than just receiving a message from the CFO via something which is potentially insecure like email. There may be a little bit more double checking.
LIANNE POTTER. The amount of time it takes to just get any expenses authorized, you know, for like 20 quid or something in an organization, let alone like this just happens. This is so unfair. Why can't I have it this easy?
GRAHAM CLULEY. I remember years ago, the company I was working for sent me overseas to do some work for a few weeks at one of our other branches. And so I put my expense claim in for my cat to go into a cattery because I was going — it was a nightmare. Couldn't get them to pay for my cat. Was I being unreasonable? I don't know.
CAROLE THERIAULT. I'm thinking, I'm thinking.
GRAHAM CLULEY. I don't know.
CAROLE THERIAULT. It is an expense you have to incur.
GRAHAM CLULEY. It's an expense I had to incur.
CAROLE THERIAULT. But do people do it with their children? If they, you know, do they? You know, like if you go away for two weeks, do you —
LIANNE POTTER. As far as I'm aware, Carole, childcare, you know, isn't that cheaper than doggy daycare is? For example, exactly. I'm just about to put my dog through doggy daycare and I'm thinking about claiming back on expenses through that.
GRAHAM CLULEY. So I'm just like, yeah, obviously it wasn't the cheapest cat treat, you know, it's the jewel-encrusted water bottle. It was, you know, I had —
CAROLE THERIAULT. I'm sure, I'm sure your cat loved that.
GRAHAM CLULEY. Would have loved all that anyway. So yes, so claiming expenses can be really difficult. It's amazing how companies can just cough up $20 million to move into someone's account.
Anyway, so this request came through claiming to be from the UK-based CFO. And I think probably at this company, 'cause it's a big multinational, there were rules about this kind of thing. This person was working in finance. They thought, oh, you know, I have to be sure because this could be a fraudulent email.
CAROLE THERIAULT. Okay, smart.
GRAHAM CLULEY. Right. Yeah, so they're smart. So they're thinking, I need to double-check this. I need to make sure that this instruction is legitimate.
CAROLE THERIAULT. Makes sense. Yeah, I like that.
GRAHAM CLULEY. So how would you do that? How would you check?
CAROLE THERIAULT. I would say, look, I'm just going to give you a bell on your cell phone. We'll have a little chat. Just want to get all the ins and outs, right?
GRAHAM CLULEY. You could do that. Yeah, that's certainly potentially possible if you have their mobile phone.
I mean, in this particular case, the email contained a link to a video call service. So maybe they're using Teams, maybe they're using Zoom or whatever, where they could have a chat to describe what was going on. And we have described many times before how it's possible to create fake videos of people saying what someone else wants them to say.
So deepfake videos. So you have to be careful on a video call. But a video call, I would argue, is perhaps a little bit more convincing because you're having a conversation with somebody.
CAROLE THERIAULT. And it gives you more away than just a phone call, right? Because you also have a visual reference.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Yep.
GRAHAM CLULEY. And because you're interacting with them and you can ask them questions.
CAROLE THERIAULT. If you called me up, Clue, and said, look, I need £1,000, I would first die. And then I'd be, then I might call you up on Zoom and go, what are you talking about? What do you need £1,000 for?
GRAHAM CLULEY. You would never call me on Zoom.
LIANNE POTTER. You would never turn on the video camera.
CAROLE THERIAULT. I call you on our normal channels.
GRAHAM CLULEY. Our normal channels. We wouldn't turn on video, would we? Would we turn on video?
CAROLE THERIAULT. I might make you go on video to promise that you pay it back, right? With a pinky swear.
GRAHAM CLULEY. But there could be someone lurking in the corner of my office with a gun with a silencer pointed to my head or something, couldn't there?
CAROLE THERIAULT. Why does it have a silencer? It's good for me, I suppose. My ears won't, you know.
GRAHAM CLULEY. Anyway, so I mean, yes. Yes, scams occur. In this particular case, this person was a little bit suspicious, and they weren't sure.
We've discussed this many times before. Possible to create fake videos. You know the TV game show Countdown on Channel 4?
LIANNE POTTER. Yep.
GRAHAM CLULEY. Used to have Carole Vorderman on it. Now it's Rachel Riley, where they have their little quiz with the numbers.
She picks, you know, 3 big ones and 2 small ones, and can you make them all count up to 793 or something, right? And Rachel Riley is a maths wizard. And 5 years ago, 5 years ago, you think deepfake is a new thing?
Poppycock! 5 years ago, HSBC made a video showing how it was possible to make Rachel Riley say that she was bad at maths, and that answers to tricky maths puzzles were being fed into her earpiece.
LIANNE POTTER. I'm bad at maths. That's not true.
CAROLE THERIAULT. HSBC did that to show just how sophisticated fraudsters can be. I'm bad at replying to people. I'm bad at maths. I get fed the answers in my earpiece.
GRAHAM CLULEY. So this isn't new.
LIANNE POTTER. What did HSBC have to gain from besmirching that poor woman's reputation?
GRAHAM CLULEY. Well, HSBC, also known as, by the way, as the Hong Kong Shanghai Banking Corporation. We don't know the name of the company which was affected in this case. So make your own guesses.
They wanted to warn their staff, and indeed they wanted to warn customers as well about the dangers of deepfaked video and how this was possible and how you shouldn't necessarily trust someone just because you can see them saying something.
CAROLE THERIAULT. Right. But still, come on. When does it stop? Right?
When do you go, oh, okay, you're serious? Would someone have to come on and say, look, I'm really hurt. Look, my leg's pumping out blood, you know, and you'd have to show that in order for people to believe you? I don't know.
GRAHAM CLULEY. That seems a bit extreme. Oh, maybe. In this particular case, so the employee had reason to be suspicious. They thought, hang on a minute, this isn't my first rodeo. I'm going to join this Zoom call.
But what allayed their fear is when they joined the video call, they found it wasn't just with the CFO, it was with multiple other people inside the organisation, other senior members of staff and some outsiders as well. And according to the cops, the company employees on this call looked and sounded like people the targeted employee did recognize inside the organization.
CAROLE THERIAULT. So this guy clicks on the Zoom call or whatever, the video conferencing thing, and then there's all these people like Brad from accounts and Sheila, and then they're all like, yeah, yeah, no, no, buy, buy, sell, sell. You're wrong.
GRAHAM CLULEY. I don't know if they're like, maybe they're, you're on mute. You're on mute. Can you hear me over there? You're having the usual video call problem.
LIANNE POTTER. Problems. But when do you ever get all the execs in one place at the same time anyways? When would you— when will that happen?
CAROLE THERIAULT. Well, when you want $20 million, I guess.
GRAHAM CLULEY. Well, yeah, maybe when you're moving that much money. Yeah, into an account and saying, look, it's very important, but we've chosen you to do this.
LIANNE POTTER. I don't think I could just be like, oh, I'll just click on a Zoom link and just say, hey, just calling the CFO right now, I bet he's not busy.
GRAHAM CLULEY. Oh well, I think they sent an invite. They said join us at this time.
LIANNE POTTER. Okay.
GRAHAM CLULEY. Because we're going to have a conference call where we can discuss.
CAROLE THERIAULT. You know, that would work for me. That would work for me. As we all know, I now know I can fall for these kind of scams. So I imagine if I joined one of these calls with all these people jabbering on, I'd be like, ooh, okay, this is serious.
GRAHAM CLULEY. So according to the Hong Kong police, there is a senior superintendent, Baron Chan Shun-ching. He says that in previous cases, the scam victims have been tricked in one-on-one video calls. And this, of course, was a multi-person video call.
And everyone that they saw was fake. They said the scammers were able to generate convincing representations of targeted individuals that looked and sounded like the actual people.
CAROLE THERIAULT. It's smart too, because you're going to ask a lot less questions if there's 15 people on the call than if there was just one. Right? Because you don't want to look like an idiot.
GRAHAM CLULEY. And maybe you won't say something like, "Stand on one leg!" "Recite the alphabet backwards quickly!" You know, you wouldn't ask any of those test questions.
LIANNE POTTER. I don't think you've been into any of my meetings at all, Graham.
GRAHAM CLULEY. So this employee, over the course of a week, they made 15 transfers totaling over 200 million Hong Kong dollars to 5 different accounts.
CAROLE THERIAULT. What kind of oversights were going on in this company?
GRAHAM CLULEY. Yeah, exactly.
CAROLE THERIAULT. 15 transfers.
GRAHAM CLULEY. Yeah. So I guess because there was a limit maybe as to how much you could move at once. I mean, it can happen, can't it? That you'd probably not set off alarm bells.
CAROLE THERIAULT. But it's like someone chopping off one of your digits, your fingers or your toes. I don't know why I'm so dark today. My pick of the week is also very dark.
I don't know what's going on. February. But you know, you would notice. You would just notice. That's a lot of money. Most people would notice.
GRAHAM CLULEY. You'd like to think so. Well, now this was interesting to me. So the police say that they've carried out an investigation and they have found that the meeting participants had been digitally recreated by the scammers, as I described, using publicly available video and audio footage of those individuals.
And they imitated the voice of their targets reading from a script. So it's quite sophisticated, this, what they've done here.
And apparently on the call, they asked the victim, you know, when you go around, you say, "Okay, if everyone can introduce themselves." And so they got the victim to introduce themselves, but they didn't interact with them at that point.
And the meeting ended rather abruptly after they gave the instructions. But it was enough to dupe them.
But here's my actual question. I said, is this Hong Kong phooey?
How do the police actually know that what they're saying happened happened? They haven't made any arrests.
How do they know that these were deepfakes? How do they know that, for instance, it wasn't the real CFO and his colleagues telling this employee to move the money into these bank accounts?
CAROLE THERIAULT. Yeah, where's the money now? Exactly.
LIANNE POTTER. Right.
GRAHAM CLULEY. Was the employee in on it? Or are they just saying they were fooled by deepfakes?
Because what a wonderful— it's a bit like saying, "We were attacked by a state-sponsored hacking group, and therefore we don't have to admit—" It's super serious. Yes, it was a very, very— it's very convenient, isn't it?
Say, "Oh well, it was deepfakes."
CAROLE THERIAULT. That's how I got duped. This is hard though.
I mean, you're doing exactly what we're telling people to do. Trust nothing.
But you do sound like a crazy person. Oh, thank you very much.
GRAHAM CLULEY. So I'm just asking the questions. I'm just asking the questions.
Yeah, yeah, yeah. Anyway, the police say if you're not sure if someone is a fake or not on a video record, they've come up with some advice.
Uh-oh. And their advice, they said, is ask the person to bobble their head around a bit.
Now, I don't think that's— I don't think that's going to always work. I think if it's a pre-recorded video, maybe it would work.
But these days with deepfakes, you could have an actor actually playing the part and then having a deepfake face munged on top of them to fool you. So they could bobble their head.
LIANNE POTTER. Yeah, but you still get that weird halo sometimes though, don't you, with the deepfakes? That weird—
CAROLE THERIAULT. Bad connection, bad connection. Next, Lianne.
LIANNE POTTER. Yeah, I think it's good advice. You know, do that thing that you did in PE, you know, at the start when you're in primary school and you do the chin roll.
So put your head right into your chin, roll around, just get everyone in the meeting to do that. And then you've got a nice workout as well.
GRAHAM CLULEY. That never looks good on a webcam. Yeah.
I have to say, depends where your webcam is.
CAROLE THERIAULT. I'm sure a few weeks ago we talked about doing jumping jacks, getting people to do jumping jacks as soon as they come on or something, so.
GRAHAM CLULEY. I think the scammers are going to be onto that.
LIANNE POTTER. The deepfake craze and the fitness craze could really get together on this. I really do think so.
GRAHAM CLULEY. Hong Kong police have also said that you should use their ScamEater service. So this is an online service. I'll put a link in the show notes. Cyberdefender.hk it is.
We can enter the details of an account and see if it is connected to past scam activity. They call it the one-stop scam and pitfall search engine.
But a little word of warning, because last year scammers sent messages to people saying, oh, you know, we're the police. We've recovered more than $50 million from a past scam.
If you want to check whether you're one of the people who are going to get your money back, go to this link. Go to the fake version of the Scam Eater app, which will steal your money and your personal information as well.
CAROLE THERIAULT. The future is bright.
GRAHAM CLULEY. Lianne, what's your story for us this week?
LIANNE POTTER. Oh, get out the tissues. This is a really sad one.
The ransomware gangs are really feeling the pinch, just like the rest of us. Turns out that payments have dropped down to a new low of 29%.
GRAHAM CLULEY. So less than a third of companies are paying the ransom demands.
LIANNE POTTER. Correct. Correct.
Yeah. So it's reduced. So there's a company called Coveware and they've been tracking this for some time since 2019.
Now, when they first started tracking this trend, it was at 85% were choosing to pay these ransomware gangs. But however, they said in a recent analysis of the data in the last quarter of 2023, 29% dropped to a brand new low.
So from 85% to 29% in just in the space of a few years, which is— that's pretty good. And obviously there's lots of moral and ethical questions about whether you should pay or not, which, you know, you've gone through on the show many a time.
But what this report suggests is the reason why these payments are going down is due to awareness, which, you know, pat on the back everyone with the messages getting out there. People are listening and it's awareness in the sense that people are understanding that ransomware or being hit by ransomware is not a question of if, but a question of when.
And, you know, as such, people are starting to take heed to the things we've been saying for ages, which is more robust backups.
GRAHAM CLULEY. But isn't it the case that a lot of these ransomware attacks now aren't encrypting your data, so they're just stealing it with the threat of releasing it? So is it that these companies don't care if the data is released because there have been so many data breaches?
Everyone's had their personal information exposed in the past and what's a little bit more?
CAROLE THERIAULT. Yeah, customers won't care that all their data's been stolen. That's the issue, right?
LIANNE POTTER. Well, yeah, well you do see that time and time again, don't you? So when a big company has a breach, there is a drop in their share prices for a little bit.
But if you watch the trends of companies that have had a breach, it kind of just goes back to normal quite quickly. And by quite quickly, I mean in the space of sometimes weeks, sometimes months. Or sometimes it even does better 'cause then people think, oh well, actually they're reinvesting into security. So, you know, you see the likes of Uber who, you know, quite a lot of breaches and then lots of job adverts the next day come out for cybersecurity professionals.
So you can kind of see how that might be a thing. But this article suggests that unfortunately it isn't the security team people are listening to about that message of have good backups.
It's actually just because mainstream media, which is great. So not your likes of your cyber publications or your tech publications, you know, the things like your BBC News, your Guardian, etc., making cybersecurity issues and ransomware headline news.
And in particular, what's really kind of convincing people that they're, you know, less likely to pay is because of the stories where ransomware groups are not returning the data after it's been paid. So they're not keeping up to their end of the bargain.
CAROLE THERIAULT. Right. So they're getting the payment and then still releasing the data afterwards. So losing the trust, breaking that bond of—
GRAHAM CLULEY. That seems really bad business sense by the ransomware gangs. Shouldn't they provide a higher level of customer service than that if they want to carry on having, quote, customers?
LIANNE POTTER. Well, I've run my own business in the past, and, you know, when there's a big industry-wide scandal, it just takes a few bad eggs to make your business model look rubbish. So I feel really sorry for these legitimate quote-unquote ransomware gangs who do have good practices of managing and keeping up to their end of the bargain.
And it's just a few of these bad ransomware gangs that are just really letting it down for everyone else. And as a result, there's this big drop in ransomware payments.
GRAHAM CLULEY. Do you think we need a service Trustpilot where people can review the quality of the ransomware gang that they've been infected by and whether they did their part of the bargain? Then we'd know, maybe each ransomware gang could have a, you know, a points out of 5, 5-star rating or something, say, look, we're really trusted, whereas the bad guys wouldn't be trusted.
And so you'd know that you were likely to get your data back or likely to have them destroy it properly.
LIANNE POTTER. I think that would be a really good idea, 'cause there's the TripAdvisor effect, isn't there? You know, when there's a new restaurant that's open, it has really good reviews and all the restaurants around it wanna kind of compete and up their game a bit.
Oh, right. That'd be really good for ransomware gangs to kind of up their game and rebuild the trust back into the community, into businesses that, you know, when they do ransomware, that we're actually gonna get what we paid for back.
CAROLE THERIAULT. But I wonder if it is a question of, you know, if they don't get their money, if they're not getting their payoff, then they're gonna go through a type of recession, same as the tech industry is. There'll be layoffs in the ransomware world.
Oh, bless them.
LIANNE POTTER. See, it's what I mean. Absolute sob story. The impacts will be far-reaching. One thing I'd like to think about though is, will this mean they pivot into something else?
Because you know, the whole idea of it is, you know, ransomware is really low cost, really great return on investment. And if that's not working, what's the next thing that they're gonna turn to that has such a good return on investment? And that's probably where you're gonna see, I'm going to say it 'cause it's not been really said yet, AI and things like that.
You mentioned it. I mentioned it. Phishing test, AI and things like that into the mix to make it still, you know, low cost, high gains for them.
But what was also interesting about this article was there was a second part of the section which says the person who's done the study, so Coveware, said let's enjoy this downturn naturally because one of the other conversations people have been having is about banning ransomware payments altogether. Now, they say that according to their research, when places like Florida, which I wasn't aware actually that Florida has banned ransomware payments, and they have done so since 2022, they've not seen any noticeable difference in the number of attacks they've got.
So that's a number of attacks, not payments. And according to this article, that they're saying if we ban it then it just shows the cybercriminals that we're unable to look after ourselves. Whereas if we keep it as is and people keep practicing this good security hygiene, then slowly it might fizzle out on its own accord anyways.
I'm, oh God, I'm so cynical today.
CAROLE THERIAULT. Oh yeah, today.
LIANNE POTTER. I don't know what's wrong with me.
GRAHAM CLULEY. So how do Coveware know that the number of companies paying the ransom has gone down?
LIANNE POTTER. Coveware are a ransomware response and negotiation company.
GRAHAM CLULEY. Oh, so their business has gone down. Ah, right, they're suffering. I see. World suffering. Carole, what's your story for us this week?
CAROLE THERIAULT. Well, we have a very special day fast approaching us. One that, you know, loving couples, brand new and old alike, like to celebrate. And I'm talking about Valentine's Day.
Or is it Saint Valentine's Day? What do you say?
GRAHAM CLULEY. I just think it's a load of old tosh, isn't it? I usually just say, "Ugh." Why don't we just call it Tuesday or something?
CAROLE THERIAULT. Okay, so you have no interest in celebrating any love in your life?
GRAHAM CLULEY. No, I do. Excuse me. Of course I celebrate love. Great love in my life. Let's say this very quickly in case anyone's listening.
But the whole idea that the entire country has to go out to an Italian restaurant and book a table, that doesn't seem terribly romantic to me. Much more romantic, obviously, just to, you know, sort of slob around on the sofa and put something in the microwave and say, there you go.
CAROLE THERIAULT. It's the older man's version of Netflix and chill. There you go. So you resent that people are being forced to do it, basically?
GRAHAM CLULEY. No, I don't resent other people being forced to do it. I resent me being forced to do it.
CAROLE THERIAULT. So I don't like that. Right. And Lianne, what about you?
LIANNE POTTER. I agree. My birthday is on Halloween, and I resent having to kind of be force fed into Halloween. So having another day where you have to just surround yourself with hearts and flowers, and like you say, Graham, overpriced special Valentine's Day menus.
You know, you could be going to your favorite restaurant, but oh, they've added a surcharge on top of that. And with ransomware payments the way they are these days, I don't know if I can afford it.
CAROLE THERIAULT. It's hard though to come up with a way that's not cheesy, but also kind of recognizing if you have someone in your life you want to high-five, right? In my case, do I buy the Yeti eraser, right? Is that a good gift?
He obviously doesn't have one.
GRAHAM CLULEY. Good for you, maybe.
CAROLE THERIAULT. But maybe good for me, definitely. But yeah, it seems like a holiday for some romantic partners, right?
But there's people out there. Some of us are single, and Valentine's Day may not be the holiday you most look forward to. Unless you use it as a springboard to hop back into the dating saddle.
So I don't know about you, I have a number of friends right now, extended family, that are suddenly getting back on the dating scene. I don't know if it's a New Year's resolution, or to avoid a solo Valentine's Day, but people seem to be refreshing wardrobes, hitting the gym, updating their profile you know, they always are catching a big fish or climbing a steep mountain, shuffling along a beautiful beach.
The stuff we couples do all the time, let me just assure you. Yep, all the time.
LIANNE POTTER. Speaking of big fish, can I just put a shout out there to gentlemen who are putting on their dating profiles? Please don't put the big fish photo on there. You're holding a big fish.
CAROLE THERIAULT. 'Look at this huge fish I've caught.' Yeah, even from a security point of view, it's not a good idea catching a big fish, is it?
It's never someone sitting on a sofa eating, you know, family-sized bag of Cheetos or whatever. But the first port of call these days is you go online.
You don't tend to go down to your local Superdrug, see someone cute, and then approach, because it could be pretty dangerous depending on what they're trying to buy. I don't know if conversation opener of 'Hi, you itchy?' is a good idea.
LIANNE POTTER. Works for me every time.
CAROLE THERIAULT. And then you dive into this online dating pool and try to find someone who's a good fit for you. What would you be looking for?
You'd probably, Graham, you'd be looking for someone who looks like a dead actress from the '50s, I'm sure.
GRAHAM CLULEY. Well, yeah, Diana Rigg. Diana Rigg, that's right. Yeah, yes, that's right, yes. Circa 1968.
CAROLE THERIAULT. I'd be going for a Danny DeVito clone, you know?
GRAHAM CLULEY. That's pretty much what you've got, isn't it, at the moment? It's quite short.
CAROLE THERIAULT. But, you know, whatever your pleasure and the aim of the game is to find love. And if you start now, maybe in a week's time when Valentine's Day is upon us, you might already be starting to feel that warm sparkle feeling, you know, of a budding relationship.
Well, I'm here to say stop right there, people. Because according to Lloyds Bank this past weekend, romance scams have increased more than 20% in 2023 compared to 2022.
And I have a few questions for you just for fun. So what age group do you think reporting losing the most money?
So averaging £13,000 on average in this age group, almost doubling the average across all romance scam reports in the UK.
GRAHAM CLULEY. Is it 54-year-old male podcast hosts? No, it's not.
CAROLE THERIAULT. Okay, thank God. All right, do you want to guess, Lianne?
LIANNE POTTER. I want to say probably millennials, and the reason why, just because we've grown up with the likes of Dirty Dancing and stuff like that. We're looking for love, we're looking for that dance partner to really take us onto that nostalgia train.
GRAHAM CLULEY. Oh, and I suppose they're all on the TikToks and things as well, aren't they? So they might get what— what is it called?
A thirst something, isn't it? What's it called?
Oh, you know. It's a thirst trap. No, is that not what's happening?
CAROLE THERIAULT. It's older people. It's 65 to 74. They're the most trusting. Coffin dodgers. Which group do you think were most likely to report falling for a romance scam?
GRAHAM CLULEY. Not the oldies, I'm guessing. Young people. Not the oldies. Young people.
CAROLE THERIAULT. That was much closer to your original one. 55. It's 55 to 64. More— it's more people over middle age that are falling for these things.
And in Canada, things are much, much worse. According to the Canadian Anti-Fraud Centre, romance scams cost 945 victims more than $50 million, an average of $53,000 per victim. We're way too trusting, Canadians. Way too trusting.
GRAHAM CLULEY. Extraordinary, isn't it? That's a huge amount. I've actually received an email today from someone who says that their friend has been exchanging messages from Mark Ruffalo. You know, the Hollywood actor Mark Ruffalo? Who's the Hulk or something.
LIANNE POTTER. He would be on my list for sure.
GRAHAM CLULEY. And this person says she's never spoken to him. They've never seen pictures of each other. It's purely been text. And her friend is completely hook, line, and sinkered and ready to give them a fortune. Completely convinced. And she was saying, what can I do about this? It's horrendous. And you can imagine people giving a huge amount of money because they think, oh, but it's going to be love.
CAROLE THERIAULT. Yeah, they often use fake photos. They often refuse to meet up. And common excuses may involve working away in the armed forces or international aid or charity work.
GRAHAM CLULEY. Or in Mark Ruffalo's case, he's just got very, very angry and is now 14-foot tall and ripped with green muscles.
CAROLE THERIAULT. Yeah. And his muscles are so big he can't actually reach the keyboard very well.
GRAHAM CLULEY. He hasn't got a reliable pair of trousers. He can't go out on a date. He's got plenty of excuses.
CAROLE THERIAULT. The scary thing, though, is the scams can last a seriously long period of time. And that's what allows the fraudster to build trust with the victim. So in your case, right, this may have gone on for months. And it might carry on until he asks for money.
And usually the claims are family issues, medical bills, needing money to arrange to meet up because their money's all tied up. And what douchebag wouldn't help out a brand new potential partner? Especially when you've been talking daily for months and want to meet. Have you heard this term pig butchering? In contact with romance scams? I hadn't heard it. Shows you how much security—
LIANNE POTTER. No, I've not heard it.
GRAHAM CLULEY. Oh, I thought we'd done it on the show before, pig butchering. Oh, maybe I just mean we stopped listening. Didn't listen. Don't listen to that podcast.
CAROLE THERIAULT. I was just going, interesting. Uh-huh.
GRAHAM CLULEY. I'm sure it's one of your stories is actually— hang on, I'll have a quick search through our past episodes.
LIANNE POTTER. Oh no, we figured out that she's the deepfake. So, okay, so pig butchering.
CAROLE THERIAULT. So it means basically priming the victim in preparation for financial slaughter. So fattening the pig. It's so disgusting.
LIANNE POTTER. Very evocative.
CAROLE THERIAULT. Yeah, but it's so gross because people are doing what people do, looking for someone to connect with, right? And they do it online now because that's where everyone spends their time. And scammers take advantage of this.
And perhaps, I don't know, do we need to lean on dating sites to do more? Is that the problem here, that we can't trust them? I mean, if they're using images that are already taken from somewhere else on the web to use as their dating pictures.
GRAHAM CLULEY. Or they're generating them with, dare I mention the letters AI again, in which case they may not be anywhere else on the web already. And the scam is really occurring when people begin chatting though, isn't it?
It's not necessarily even on the dating site. The dating site is the initial hook, but then they're chatting to you on WhatsApp or whatever it is, and it may be months and months down the line before they say, "Oh, I've got this great investment in cryptocurrency. You should really do it too, 'cause I love you so much. Why don't you put some of your money in? I'll do it for you if you like. If you don't know how to do it, just wire me this money." And bam.
CAROLE THERIAULT. Yeah, and one of the things as well, I was reading, and I have a link in the show notes from a CBC article where someone was trying to catfish this woman, and then eventually explained why he did what he did and how he did it. But one of the things he mentioned is I create a new profile on Instagram, I go out and try and lure in as many women as I can that fit the profile that I'm trying to get.
And then I need to get them off Instagram as soon as possible. Because if someone finds out and reports it, the account gets taken down. And then I've lost contact with all the other people I've worked on. You really want to establish a second means of communication quickly, which could be a warning you know, if you're talking to someone. But it's kind of scary. So during this romantic time, keep your wits about you. If you meet someone new, don't not tell your friends and family. So at least in your case, what you were reporting earlier, Graham, they've told a friend and family, but they're not listening to the friend and family saying, take heed.
GRAHAM CLULEY. No, they're not listening to them. Yeah, take heed.
LIANNE POTTER. That's the hard part, isn't it, is when they don't listen because the reason why they're so good at what they do is because they really make you believe that you are the one and they are the one. And it's really hard to convince people otherwise because when they say, you know, you make first impressions within the first microseconds of meeting someone, it's really hard actually then to go back on that.
And yeah, that's how come they're so successful. It's just, it's so sad when even when you actually see the signs, you just cannot convince the other person that it's not true.
CAROLE THERIAULT. Yeah, I agree. And I think my best advice is literally rather than attack someone in Superdrug, wait for them outside, right? A comfortable distance away, and then say something romantic. When they walk out, say something "Hey, did you get what you came for?" And wink or something.
LIANNE POTTER. That'd work, right? Sorry, what? You were gonna mug me. It sounds like you're gonna mug me. What's going on? I think you've been out of the game for a bit too long, Carole. Yeah, she found her guy at the zoo.
CAROLE THERIAULT. This episode of Smashing Security is sponsored by Kolide. Wouldn't it be great if a device which lacked compliance or lacked security was denied access to your organization's SaaS apps and other resources?
Because this would mean that the hackers who had nabbed the unlucky employee's credentials, for example, could not gain access to your assets. It would effectively lock them out.
Welcome to Kolide, a world where access is only given to approved, secure devices. As the administrator, you can manage every operating system, even Linux, from a single dashboard.
Another bonus of Kolide: employees can often fix their own problems without involving IT support, meaning less resources are needed to effectively operate a more secure environment. Kolide is the device trust solution for companies with Okta.
Kolide ensures that if a device is not trusted or it's insecure, it is denied access to your cloud apps. Learn more at kolide.com/smashing.
That's k-o-l-i-d-e.com/smashing. And huge thank you to Kolide for sponsoring the show.
GRAHAM CLULEY. Shortcut compliance without shortchanging security. That's what Vanta can bring your company.
Expanding the scope of your security program with Vanta's market-leading compliance automation, saving your business time and money. Vanta has over 5,000 customers around the globe who are saving over 300 hours in manual work and up to 85% of their costs for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more.
And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on. From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time.
And as a special bonus, Smashing Security listeners can get a stonking 20% off Vanta. Just go to vanta.com/smashing to claim your discount.
That's vanta.com/smashing. And thanks to Vanta for supporting the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.
Whatever they like. It doesn't have to be security related necessarily.
Better not be. Well, my Pick of the Week this week is not security related.
I am trying to stop my brain turning into mush. Started a bit late.
Well, yes, possibly, possibly. But I realised I need to do more than just play chess badly.
So I've also been playing a little bit of Sudoku, which I'm sure you guys have all played in your time. But I, you know, I was doing a bit of Sudoku and I thought, I'm not entirely happy with this app.
So I went into the App Store and I was looking at Sudoku apps and I was trying them out. And they've got bad user interfaces or they've got intrusive ads or they're really unforgiving because if my fat fingers happen to press the wrong button or the wrong square, it goes, "Oh no, you've made a mistake. Oh, if you make another mistake, you're going to, you know, forfeit the game."
And it's like, no, I do know. I know what I was trying to do.
I just pressed the wrong button. Don't be so mean, I'm thinking.
Why should I?
CAROLE THERIAULT. Are you not worried about your stress levels and your heart? As opposed to your brain mush-ness?
LIANNE POTTER. A little bit. And also, you know, we were all worried when King Charles had really sausage fingers.
Is everything okay?
GRAHAM CLULEY. I think— yeah, oh, that's true. Yeah, I could get—
LIANNE POTTER. Go get checked out. Go check out my sausage fingers.
Be careful about going to Superdrug though.
GRAHAM CLULEY. Someone might come on to you. Anyway, I thought there must be something which doesn't have a bad user interface, doesn't have intrusive adverts, can handle your sausage fingers. And it can handle— sausage finger compliant. And I found it at sudokuexchange.com, which is a lovely, beautifully designed little website with lots of sudoku exercises. It suits all of my requirements.
I'm very happy using it. I'm not very good at sudoku. I've got to get up to speed. My partner, much faster at it than me. But I like this little website, so that's what I'm using. So my pick of the week is sudokuexchange.com.
LIANNE POTTER. Mm. Very good. You could have got the same from a Sudoku book as well. Yeah, right.
CAROLE THERIAULT. Smokes. I have something for you, Graham, what you could do. Go ahead. This is what my parents-in-law do. Every morning when they wake up, they both have the same— two copies of a Sudoku book, and they race each other.
Oh my goodness. Oh my God. They go, okay, we're doing number 59, go. And that's what they do before they do it.
GRAHAM CLULEY. That's it, 59. Anyway, yes. So, back to the drugstore. Lianne, what's your pick of the week? Moving on quickly.
LIANNE POTTER. So my pick of the week this week is for people to get used to being a bit more comfortable with the unknown and to inject a bit of spontaneity into their lives. So— Oh, hello. Yeah. Carole, Graham, picture this, right? You're both on stage and the crowds look at you and the host of the event says, now, how do these two people know each other?
So you and Graham, and the voices in the audience all call out, but one's louder than the rest, and they say coworkers. Great. So the host nods and then asks another question. So where do they work? And then you hear a choral sound, and the sound is, in an abattoir, they demand. And then the host then turns to you and says, right, you're both coworkers who work in an abattoir. Begin your scene in the style of a 1950s musical. How would you both feel about that situation?
CAROLE THERIAULT. I'm not super familiar with 1950s musicals, so I would feel out of my depth a bit on that, but I do love a bit of improv.
LIANNE POTTER. That's exactly what it is. So for the past two years, I've been spending my time getting used to situations like that, not working in an abattoir, which is the most requested place of work in a scene. Really? Absolutely. Gross.
GRAHAM CLULEY. Yes, not in real life, I think, only in improv situations. Just in improv.
LIANNE POTTER. And along with the word prolapse— let's not go into that. But I've been performing as part of an improv group, and I couldn't have done it without my pick of the week, which is the Laugh at Leeds Stand-up and Improv Comedy School. And I've always been a fan of shows like Whose Line Is It Anyway since I was a kid, and I was always in awe of their ability to kind of think on their feet, you know, and I guess even more so be totally unfazed when a joke bombs or doesn't land. I don't know if you've watched any of that show recently, revisited or anything like that. Whose Line Is It?
GRAHAM CLULEY. Yeah, I have.
LIANNE POTTER. Yeah, they are really good at even when it doesn't land, they take it so easily. And I think that's such a great skill to learn. So for a decade I've been keep saying to myself, I'm going to do a course in improv one day.
I've been putting it off, putting it off until I actually met someone in real life who was— who'd done the course several times and said how amazing it was. So I went along and did it and I've had the bug ever since.
And the way it works is that they run courses really regularly in 6-week blocks. So you start off absolutely terrified, I'll be honest with you, and then by the end of the 6 weeks you're actually performing on stage in front of people doing improv.
Wow. It's really great and it's amazing to see your peers, people you're on the course with go from really nervous, just as nervous as you are, and to be this really confident, funny individuals.
And it's got to the point now where I actually regularly perform as part of my own improv troupe, Roll With It. So I've learned some real amazing practical skills.
It's really helped with my public speaking, how I approach work, you know, how to be cool with, you know, coming off script, you know, injecting a bit of humor into proceedings and things like that. So, ah, we've been breached, huh?
Let's have a joke.
CAROLE THERIAULT. And I bet it helps a lot with podcast life too, right? Because yeah, during interviews and when you're chatting with people, you can just listen and then think at the same time.
I think that's almost the skill is you need to take in and also come up with something.
LIANNE POTTER. Yeah, so the first few weeks you just get trained on two principles. So one is listening, and then the other one is a principle called "yes, and."
Now, "yes, and" means that you embrace the scene, so you take in whatever suggestions. So abattoir, for example, and 1950s musical.
It wouldn't matter if you didn't know anything about a 1950s musical. You just have to roll with it.
And it's just a really great thing. And what I think we could learn from in cybersecurity about it as well is that yes and principle is, yeah, when people come up to you in the business and say we want to do something, instead of just saying no, we can't, yes and maybe we can look at it from this security angle would be a really useful thing to do.
So that is my pick of the week. Learn improv if you can, and if you can learn it at Laugh at Leeds.
CAROLE THERIAULT. Sounds like you are a perfect candidate for Sticky Pickles. Just saying.
You can think on your feet. That's what we need.
GRAHAM CLULEY. I was told some years ago I should go and do an improv course because it would help with my public speaking. So I did go on one, and at the end they were going around everyone and saying, you know, you were really good at this, you were good.
They said, and you, they said, point to me, you're really good at bullshitting. They said, you're really good at just—
CAROLE THERIAULT. Well, obviously not if they spotted it, you know, that's not how bullshit works.
LIANNE POTTER. Touché.
GRAHAM CLULEY. Carole, what's your pick of the week?
CAROLE THERIAULT. As I warned you, I have a gruesome recommendation for my pick of the week. I wanted something extremely anti-Valentine's-y, right, to counterpoint my story that I've mentioned earlier.
So this is a TV series, not a new one. I think it came out, first aired in 2017, called Mr. Mercedes. It's based on a famous trilogy by a horror god, Stephen King.
Now, as a kid, I read a lot of Stephen King. I really liked— me too. Yeah, right? I just loved it.
Anyway, so this book, Mr. Mercedes, is what King calls his first hard-boiled detective story. So you have this retired detective, Bill Hodges, played by Brendan Gleeson, who is haunted by his old unsolved case, Mr. Mercedes.
And this is where a nut job stole a Mercedes and drove it through a line of job seekers at a local jobs fair, okay, killing 16 people. Horrible, right?
GRAHAM CLULEY. Cheery. Yes, like you said, right.
CAROLE THERIAULT. I know, I told you, not cheery. I warned you. And the guy driving the Mercedes and who killed all those people was never caught.
And we have a retired detective who is curious about tying loose ends up and starts asking questions, giving this Mr. Mercedes a brand new person to toy with. And the game goes pretty dark pretty quickly.
I cannot underline enough how dark this is. I could not watch scenes at all. I even had— My husband and I, last night, we were watching the last episode, literally, where I was humming.
He was reading the text to himself. He wasn't telling me, and I was humming, and my eyes were shut, and my fingers were in my ears, 'cause I just— The scene was just too disturbing.
But the best thing for me is the soundtrack. It's so good.
So, your detective has a mixtape moody blues soundtrack that's always playing, some old country, really gorgeous stuff, curated so well. And your psychopath is more into the alternative indie rock with punkish overtones, stuff from the '90s.
And both of them, great tunes. I loved it, loved it, loved it.
So if you want something super dark and non-romantic at all, my pick of the week, Mr. Mercedes, currently streaming on Disney+.
GRAHAM CLULEY. Now, is there an actual resolution to this if I'm going to invest into this series?
CAROLE THERIAULT. Well, okay. I just found out doing research for this that actually the series I watched, which I thought was a one-off, is actually one of 3 series.
GRAHAM CLULEY. But the first series is sort of encapsulated. The first one ended well.
CAROLE THERIAULT. Yes. Okay, well, that's good then. All right. So I have no idea where it goes from now, but, yeah, there you go.
GRAHAM CLULEY. Well, thank you for that, Carole. Very cheery. And that just about wraps up the show for this week.
Lianne, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What is the best way for folks to do that?
LIANNE POTTER. So I'm on LinkedIn. I'm the one with the really humble headline banner. You can find me under Lianne Potter.
And you can also listen to me every Thursday on my podcast, Compromising Positions. We accept listeners from anyone outside of Denmark as well.
GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter now has to have a G, and Smashing Security is also on Mastodon. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
CAROLE THERIAULT. And big fat thank yous to our episode sponsors, Kolide and Fanta, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog, more than 357 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye. Bye.
LIANNE POTTER. Thank you, Lianne. No worries. Thank you, Lianne. How was it? Oh, I loved it. Thank you so much. I was so incredibly nervous to start with, but thank you.
CAROLE THERIAULT. Oh, you didn't sound nervous at all, so that's cool.
LIANNE POTTER. That's the improv in it.
CAROLE THERIAULT. There you go.
-- TRANSCRIPT ENDS --