Why is it always the people in the finance department who are getting targeted by the scammers? I wonder why that might be.

Really? Do people ask that?

I think—

Really? It's just one of those great life mysteries, isn't it? You know, why would they aim for such a target?

Why?

Smashing Security, Episode 358: Hong Kong Hijinks, Pig Butchers, and Poor Ransomware Gangs. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 358. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, we are joined this week by somebody new, somebody who hasn't been on the podcast before. Great pleasure to invite them to the show, Lianne Potter of the Compromising Positions podcast.

Hello, thank you so much for having me.

It's great that you're here.

Yeah, now Lianne, Compromising Positions. What's that about?

Yeah, Compromising Positions, protecting your assets, big emphasis on the ass of assets, never leaving you exposed. We're a new podcast and our aim is to interview non-cybersecurity people about cybersecurity. So it's kind of part therapy session, part deep dive into how do we do things better. So basically every week I get someone in from a non-cybersecurity background. Every week we have a different topic. I have lots of really nice takeaways for people working in cybersecurity to take away and make their security controls actually work, which is what we really wanted to happen.

I think that's

I think I can hope so. Yeah, it's been really great. I've had some really fantastic people, some sort of personal heroes of mine on the show already. So yeah, the reception has been great.

a really lofty

We were big in Denmark for a week. Don't know how, don't know why, but for a week in Denmark we were charting in the top 20.

goal and a good one. Well, they're people of taste.

Talk, Denmark, talk.

Let's thank this week's wonderful sponsors, Collide and Fanta. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be discussing what could be a case of Hong Kong phooey.

Okay, that gives a lot away. What about you, Lianne?

I've got a real sob story for you here. Ransomware gangs, unfortunately, they are feeling the pinch just as much as we are.

Okay, and I'm going to be looking for love in all the wrong places. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I've got a question for you, and it's this: is this the real life? Is this just fantasy?

Why are you ruining a classic?

Caught in a landslide. No escape from reality. I won't do any more.

Thank you.

Appreciate it. Yeah.

Thank you. Let me take you by the hand and lead you through the streets of Hong Kong, where a multinational firm has, well, one of its many offices all around the world, but they've got a significant presence in Hong Kong, shall we say. And we are told that a massive fraud has recently taken place. According to Hong Kong police, a company has lost 200 million Hong Kong dollars. And for those of you not familiar with the exchange rate, that's about 25 million US dollars, or in British pounds, let me work that out. That's about 900 billion at the moment. So it's a lot, it's a lot of money. After one of its staff fell victim to a scam. Now, this particular employee worked in the finance department at this Hong Kong branch of this big multinational.

Okay.

And you may be thinking, well, you know, people may ask, well, why is it always the people in the finance department who are getting targeted by the scammers? I wonder why that might be. Really?

Do people ask that?

Aren't they generally so just one of those great life mysteries, isn't it? You know, why would they aim for such a target? Why? Why, Graham?

Why?

Because that's where all the money is, of course. So that's where all the money is. So that's where people are targeting. If they were after data, if they were after information about your personnel, then they might go for the HR department. But if they're just strictly after the money, why not go to the finance department, particularly in these days of business email compromise and CEO scams and those sort of things? It's not that uncommon. So in the middle of last month, in the middle of January, this person in Hong Kong received a message from what they believed was their UK-based CFO, the Chief Financial Officer, asking them to transfer some money. Now, you know, instantly we have multiple alarm bells going off.

Well, I don't know.

No, no, really?

Like, if you're used to getting those, right? Like if it's a normal occurrence that the guy goes, throw 10K into this account pronto, chop chop, like, you know, you wouldn't bat an eyelid if he made that request.

I would like to think in many organizations, there may be more of a procedure rather than just receiving a message from the CFO via something which is potentially insecure like email. There may be a little bit more double checking.

The amount of time it takes to just get any expenses authorized, you know, for like 20 quid or something in an organization, let alone like this just happens. This is so unfair. Why can't I have it this easy?

I remember years ago, the company I was working for sent me overseas to do some work for a few weeks at one of our other branches. And so I put my expense claim in for my cat to go into a cattery because I was going — it was a nightmare. Couldn't get them to pay for my cat. Was I being unreasonable? I don't know.

I'm thinking, I'm thinking.

I don't know.

It is an expense you have to incur.

It's an expense I had to incur.

But do people do it with their children? If they, you know, do they? You know, like if you go away for two weeks, do you —

As far as I'm aware, Carole, childcare, you know, isn't that cheaper than doggy daycare is? For example, exactly. I'm just about to put my dog through doggy daycare and I'm thinking about claiming back on expenses through that.

So I'm just like, yeah, obviously it wasn't the cheapest cat treat, you know, it's the jewel-encrusted water bottle. It was, you know, I had —

I'm sure, I'm sure your cat loved that.

Would have loved all that anyway. So yes, so claiming expenses can be really difficult. It's amazing how companies can just cough up $20 million to move into someone's account. Anyway, so this request came through claiming to be from the UK-based CFO. And I think probably at this company, 'cause it's a big multinational, there were rules about this kind of thing. This person was working in finance. They thought, oh, you know, I have to be sure because this could be a fraudulent email.

Okay, smart.

Right. Yeah, so they're smart. So they're thinking, I need to double-check this. I need to make sure that this instruction is legitimate.

Makes sense. Yeah, I like that.

So how would you do that? How would you check?

I would say, look, I'm just going to give you a bell on your cell phone. We'll have a little chat. Just want to get all the ins and outs, right?

You could do that. Yeah, that's certainly potentially possible if you have their mobile phone. I mean, in this particular case, the email contained a link to a video call service. So maybe they're using Teams, maybe they're using Zoom or whatever, where they could have a chat to describe what was going on. And we have described many times before how it's possible to create fake videos of people saying what someone else wants them to say. So deepfake videos. So you have to be careful on a video call. But a video call, I would argue, is perhaps a little bit more convincing because you're having a conversation with somebody.

And it gives you more away than just a phone call, right? Because you also have a visual reference.

Yes.

Yep.

And because you're interacting with them and you can ask them questions.

If you called me up, Clue, and said, look, I need £1,000, I would first die. And then I'd be, then I might call you up on Zoom and go, what are you talking about? What do you need £1,000 for?

You would never

You would never turn on the video camera.

I call you on our normal channels.

Our normal channels. We wouldn't turn on video, would we? Would we turn on video?

I might make you go on video to promise that you pay it back, right? With a pinky swear.

call me on Zoom. But there could be someone lurking in the corner of my office with a gun with a silencer pointed to my head or something, couldn't there?

Why does it have a silencer? It's good for me, I suppose. My ears won't, you know.

Anyway, so I mean, yes. Yes, scams occur. In this particular case, this person was a little bit suspicious, and they weren't sure. We've discussed this many times before. Possible to create fake videos. You know the TV game show Countdown on Channel 4?

Yep.

Used to have Carole Vorderman on it. Now it's Rachel Riley, where they have their little quiz with the numbers. She picks, you know, 3 big ones and 2 small ones, and can you make them all count up to 793 or something, right? And Rachel Riley is a maths wizard. And 5 years ago, 5 years ago, you think deepfake is a new thing? Poppycock! 5 years ago, HSBC made a video showing how it was possible to make Rachel Riley say that she was bad at maths, and that answers to tricky maths puzzles were being fed into her earpiece.

I'm bad at maths. That's not true.

HSBC did that to show just how sophisticated fraudsters can be. I'm bad at replying to people. I'm bad at maths. I get fed the answers in my earpiece.

So this isn't new.

What did HSBC have to gain from besmirching that poor woman's reputation?

Well, HSBC, also known as, by the way, as the Hong Kong Shanghai Banking Corporation. We don't know the name of the company which was affected in this case. So make your own guesses. They wanted to warn their staff, and indeed they wanted to warn customers as well about the dangers of deepfaked video and how this was possible and how you shouldn't necessarily trust someone just because you can see them saying something.

Right. But still, come on. When does it stop? Right? When do you go, oh, okay, you're serious? Would someone have to come on and say, look, I'm really hurt. Look, my leg's pumping out blood, you know, and you'd have to show that in order for people to believe you? I don't know.

That seems a bit extreme. Oh, maybe. In this particular case, so the employee had reason to be suspicious. They thought, hang on a minute, this isn't my first rodeo. I'm going to join this Zoom call. But what allayed their fear is when they joined the video call, they found it wasn't just with the CFO, it was with multiple other people inside the organisation, other senior members of staff and some outsiders as well. And according to the cops, the company employees on this call looked and sounded like people the targeted employee did recognize inside the organization.

So this guy clicks on the Zoom call or whatever, the video conferencing thing, and then there's all these people like Brad from accounts and Sheila, and then they're all like, yeah, yeah, no, no, buy, buy, sell, sell. You're wrong.

I don't know if they're like, maybe they're, you're on mute. You're on mute. Can you hear me over there? You're having the usual video call problem.

Problems. But when do you ever get all the execs in one place at the same time anyways? When would you— when will that happen?

Well, when you want $20 million, I guess.

Well, yeah, maybe when you're moving that much money. Yeah, into an account and saying, look, it's very important, but we've chosen you to do this.

I don't think I could just be like, oh, I'll just click on a Zoom link and just say, hey, just calling the CFO right now, I bet he's not busy.

Oh well, I think they sent an invite. They said join us at this time.

Okay.

Because we're going to have a conference call where we can discuss.

You know, that would work for me. That would work for me. As we all know, I now know I can fall for these kind of scams. So I imagine if I joined one of these calls with all these people jabbering on, I'd be like, ooh, okay, this is serious.

So according to the Hong Kong police, there is a senior superintendent, Baron Chan Shun-ching. He says that in previous cases, the scam victims have been tricked in one-on-one video calls. And this, of course, was a multi-person video call. And everyone that they saw was fake. They said the scammers were able to generate convincing representations of targeted individuals that looked and sounded like the actual people.

It's smart too, because you're going to ask a lot less questions if there's 15 people on the call than if there was just one. Right? Because you don't want to look like an idiot.

And maybe you won't say something like, "Stand on one leg!" "Recite the alphabet backwards quickly!" You know, you wouldn't ask any of those test questions.

I don't think you've been into any of my meetings at all, Graham.

So this employee, over the course of a week, they made 15 transfers totaling over 200 million Hong Kong dollars to 5 different accounts.

What kind of oversights were going on in this company?

Yeah, exactly.

15 transfers.

Yeah. So I guess because there was a limit maybe as to how much you could move at once. I mean, it can happen, can't it? That you'd probably not set off alarm bells.

But it's like someone chopping off one of your digits, your fingers or your toes. I don't know why I'm so dark today. My pick of the week is also very dark. I don't know what's going on. February. But you know, you would notice. You would just notice. That's a lot of money. Most people would notice.

You'd like to think so. Well, now this was interesting to me. So the police say that they've carried out an investigation and they have found that the meeting participants had been digitally recreated by the scammers, as I described, using publicly available video and audio footage of those individuals. And they imitated the voice of their targets reading from a script. So it's quite sophisticated, this, what they've done here. And apparently on the call, they asked the victim, you know, when you go around, you say, "Okay, if everyone can introduce themselves." And so they got the victim to introduce themselves, but they didn't interact with them at that point. And the meeting ended rather abruptly after they gave the instructions. But it was enough to dupe them. But here's my actual question. I said, is this Hong Kong phooey? How do the police actually know that what they're saying happened happened? They haven't made any arrests. How do they know that these were deepfakes? How do they know that, for instance, it wasn't the real CFO and his colleagues telling this employee to move the money into these bank accounts?

Yeah, where's the money now? Exactly.

Right.

Was the employee in on it? Or are they just saying they were fooled by deepfakes? Because what a wonderful— it's a bit like saying, "We were attacked by a state-sponsored hacking group, and therefore we don't have to admit—" It's super serious. Yes, it was a very, very— it's very convenient, isn't it? Say, "Oh well, it was deepfakes."

That's how I got duped. This is hard though. I mean, you're doing exactly what we're telling people to do. Trust nothing. But you do sound like a crazy person. Oh, thank you very much.

So I'm just asking the questions. I'm just asking the questions. Yeah, yeah, yeah. Anyway, the police say if you're not sure if someone is a fake or not on a video record, they've come up with some advice. Uh-oh. And their advice, they said, is ask the person to bobble their head around a bit. Now, I don't think that's— I don't think that's going to always work. I think if it's a pre-recorded video, maybe it would work. But these days with deepfakes, you could have an actor actually playing the part and then having a deepfake face munged on top of them to fool you. So they could bobble their head.

Yeah, but you still get that weird halo sometimes though, don't you, with the deepfakes? That weird—

Bad connection, bad connection. Next, Lianne.

Yeah, I think it's good advice. You know, do that thing that you did in PE, you know, at the start when you're in primary school and you do the chin roll. So put your head right into your chin, roll around, just get everyone in the meeting to do that. And then you've got a nice workout as well. That never looks good on a webcam. Yeah.

I'm sure a few weeks ago we talked about doing jumping jacks, getting people to do jumping jacks as soon as they come on or something, so.

I think the scammers are going to be onto that.

The deepfake craze and the fitness craze could really get together on this. I really do think so.

Hong Kong police have also said that you should use their ScamEater service. So this is an online service. I'll put a link in the show notes. Cyberdefender.hk it is. We can enter the details of an account and see if it is connected to past scam activity. They call it the one-stop scam and pitfall search engine. But a little word of warning, because last year scammers sent messages to people saying, oh, you know, we're the police. We've recovered more than $50 million from a past scam. If you want to check whether you're one of the people who are going to get your money back, go to this link. Go to the fake version of the Scam Eater app, which will steal your money and your personal information as well.

The future is bright.

Lianne, what's your story for us this week?

Oh, get out the tissues. This is a really sad one. The ransomware gangs are really feeling the pinch, just like the rest of us. Turns out that payments have dropped down to a new low of 29%.

So less than a third of companies are paying the ransom demands.

Correct. Correct. Yeah. So it's reduced. So there's a company called Coveware and they've been tracking this for some time since 2019. Now, when they first started tracking this trend, it was at 85% were choosing to pay these ransomware gangs. But however, they said in a recent analysis of the data in the last quarter of 2023, 29% dropped to a brand new low. So from 85% to 29% in just in the space of a few years, which is— that's pretty good. And obviously there's lots of moral and ethical questions about whether you should pay or not, which, you know, you've gone through on the show many a time. But what this report suggests is the reason why these payments are going down is due to awareness, which, you know, pat on the back everyone with the messages getting out there. People are listening and it's awareness in the sense that people are understanding that ransomware or being hit by ransomware is not a question of if, but a question of when. And, you know, as such, people are starting to take heed to the things we've been saying for ages, which is more robust backups.

But isn't it the case that a lot of these ransomware attacks now aren't encrypting your data, so they're just stealing it with the threat of releasing it? So is it that these companies don't care if the data is released because there have been so many data breaches? Everyone's had their personal information exposed in the past and what's a little bit more?

Yeah, customers won't care that all their data's been stolen. That's the issue, right?

Well, yeah, well you do see that time and time again, don't you? So when a big company has a breach, there is a drop in their share prices for a little bit. But if you watch the trends of companies that have had a breach, it kind of just goes back to normal quite quickly. And by quite quickly, I mean in the space of sometimes weeks, sometimes months. Or sometimes it even does better 'cause then people think, oh well, actually they're reinvesting into security. So, you know, you see the likes of Uber who, you know, quite a lot of breaches and then lots of job adverts the next day come out for cybersecurity professionals. So you can kind of see how that might be a thing. But this article suggests that unfortunately it isn't the security team people are listening to about that message of have good backups. It's actually just because mainstream media, which is great. So not your likes of your cyber publications or your tech publications, you know, the things like your BBC News, your Guardian, etc., making cybersecurity issues and ransomware headline news. And in particular, what's really kind of convincing people that they're, you know, less likely to pay is because of the stories where ransomware groups are not returning the data after it's been paid. So they're not keeping up to their end of the bargain.

Right. So they're getting the payment and then still releasing the data afterwards. So losing the trust, breaking that bond of—

That seems really bad business sense by the ransomware gangs. Shouldn't they provide a higher level of customer service than that if they want to carry on having, quote, customers?

Well, I've run my own business in the past, and, you know, when there's a big industry-wide scandal, it just takes a few bad eggs to make your business model look rubbish. So I feel really sorry for these legitimate quote-unquote ransomware gangs who do have good practices of managing and keeping up to their end of the bargain. And it's just a few of these bad ransomware gangs that are just really letting it down for everyone else. And as a result, there's this big drop in ransomware payments.

Do you think we need a service Trustpilot where people can review the quality of the ransomware gang that they've been infected by and whether they did their part of the bargain? Then we'd know, maybe each ransomware gang could have a, you know, a points out of 5, 5-star rating or something, say, look, we're really trusted, whereas the bad guys wouldn't be trusted. And so you'd know that you were likely to get your data back or likely to have them destroy it properly.

I think that would be a really good idea, 'cause there's the TripAdvisor effect, isn't there? You know, when there's a new restaurant that's open, it has really good reviews and all the restaurants around it wanna kind of compete and up their game a bit. Oh, right. That'd be really good for ransomware gangs to kind of up their game and rebuild the trust back into the community, into businesses that, you know, when they do ransomware, that we're actually gonna get what we paid for back.

But I wonder if it is a question of, you know, if they don't get their money, if they're not getting their payoff, then they're gonna go through a type of recession, same as the tech industry is. There'll be layoffs in the ransomware world. Oh, bless them.

See, it's what I mean. Absolute sob story. The impacts will be far-reaching. One thing I'd like to think about though is, will this mean they pivot into something else? Because you know, the whole idea of it is, you know, ransomware is really low cost, really great return on investment. And if that's not working, what's the next thing that they're gonna turn to that has such a good return on investment? And that's probably where you're gonna see, I'm going to say it 'cause it's not been really said yet, AI and things like that. You mentioned it. I mentioned it. Phishing test, AI and things like that into the mix to make it still, you know, low cost, high gains for them. But what was also interesting about this article was there was a second part of the section which says the person who's done the study, so Coveware, said let's enjoy this downturn naturally because one of the other conversations people have been having is about banning ransomware payments altogether. Now, they say that according to their research, when places like Florida, which I wasn't aware actually that Florida has banned ransomware payments, and they have done so since 2022, they've not seen any noticeable difference in the number of attacks they've got. So that's a number of attacks, not payments. And according to this article, that they're saying if we ban it then it just shows the cybercriminals that we're unable to look after ourselves. Whereas if we keep it as is and people keep practicing this good security hygiene, then slowly it might fizzle out on its own accord anyways. I'm, oh God, I'm so cynical today.

Oh yeah, today.

I don't know what's wrong with me.

So how do Coveware know that the number of companies paying the ransom has gone down?

Coveware are a ransomware response and negotiation company.

Oh, so their business has gone down. Ah, right, they're suffering. I see. World suffering. Carole, what's your story for us this week?

Well, we have a very special day fast approaching us. One that, you know, loving couples, brand new and old alike, like to celebrate. And I'm talking about Valentine's Day. Or is it Saint Valentine's Day? What do you say?

I just think it's a load of old tosh, isn't it? I usually just say, "Ugh." Why don't we just call it Tuesday or something?

Okay, so you have no interest in celebrating any love in your life?

No, I do. Excuse me. Of course I celebrate love. Great love in my life. Let's say this very quickly in case anyone's listening. But the whole idea that the entire country has to go out to an Italian restaurant and book a table, that doesn't seem terribly romantic to me. Much more romantic, obviously, just to, you know, sort of slob around on the sofa and put something in the microwave and say, there you go.

It's the older man's version of Netflix and chill. There you go. So you resent that people are being forced to do it, basically?

No, I don't resent other people being forced to do it. I resent me being forced to do it.

So I don't like that. Right. And Lianne, what about you?

I agree. My birthday is on Halloween, and I resent having to kind of be force fed into Halloween. So having another day where you have to just surround yourself with hearts and flowers, and like you say, Graham, overpriced special Valentine's Day menus. You know, you could be going to your favorite restaurant, but oh, they've added a surcharge on top of that. And with ransomware payments the way they are these days, I don't know if I can afford it.

It's hard though to come up with a way that's not cheesy, but also kind of recognizing if you have someone in your life you want to high-five, right? In my case, do I buy the Yeti eraser, right? Is that a good gift? He obviously doesn't have one.

Good for you, maybe.

But maybe good for me, definitely. But yeah, it seems like a holiday for some romantic partners, right? But there's people out there. Some of us are single, and Valentine's Day may not be the holiday you most look forward to. Unless you use it as a springboard to hop back into the dating saddle. So I don't know about you, I have a number of friends right now, extended family, that are suddenly getting back on the dating scene. I don't know if it's a New Year's resolution, or to avoid a solo Valentine's Day, but people seem to be refreshing wardrobes, hitting the gym, updating their profile you know, they always are catching a big fish or climbing a steep mountain, shuffling along a beautiful beach. The stuff we couples do all the time, let me just assure you. Yep, all the time.

Speaking of big fish, can I just put a shout out there to gentlemen who are putting on their dating profiles? Please don't put the big fish photo on there. You're holding a big fish.

'Look at this huge fish I've caught.' Yeah, even from a security point of view, it's not a good idea catching a big fish, is it? It's never someone sitting on a sofa eating, you know, family-sized bag of Cheetos or whatever. But the first port of call these days is you go online. You don't tend to go down to your local Superdrug, see someone cute, and then approach, because it could be pretty dangerous depending on what they're trying to buy. I don't know if conversation opener of 'Hi, you itchy?' is a good idea.

Works for me every time.

And then you dive into this online dating pool and try to find someone who's a good fit for you. What would you be looking for? You'd probably, Graham, you'd be looking for someone who looks like a dead actress from the '50s, I'm sure.

Well, yeah, Diana Rigg. Diana Rigg, that's right. Yeah, yes, that's right, yes. Circa 1968.

I'd be going for a Danny DeVito clone, you know?

That's pretty much what you've got, isn't it, at the moment? It's quite short.

But, you know, whatever your pleasure and the aim of the game is to find love. And if you start now, maybe in a week's time when Valentine's Day is upon us, you might already be starting to feel that warm sparkle feeling, you know, of a budding relationship. Well, I'm here to say stop right there, people. Because according to Lloyds Bank this past weekend, romance scams have increased more than 20% in 2023 compared to 2022. And I have a few questions for you just for fun. So what age group do you think reporting losing the most money? So averaging £13,000 on average in this age group, almost doubling the average across all romance scam reports in the UK.

Is it 54-year-old male podcast hosts? No, it's not.

Okay, thank God. All right, do you want to guess, Lianne?

I want to say probably millennials, and the reason why, just because we've grown up with the likes of Dirty Dancing and stuff like that. We're looking for love, we're looking for that dance partner to really take us onto that nostalgia train.

Oh, and I suppose they're all on the TikToks and things as well, aren't they? So they might get what— what is it called? A thirst something, isn't it? What's it called? Oh, you know. It's a thirst trap. No, is that not what's happening?

It's older people. It's 65 to 74. They're the most trusting. Coffin dodgers. Which group do you think were most likely to report falling for a romance scam?

Not the oldies, I'm guessing. Young people. Not the oldies. Young people.

That was much closer to your original one. 55. It's 55 to 64. More— it's more people over middle age that are falling for these things. And in Canada, things are much, much worse. According to the Canadian Anti-Fraud Centre, romance scams cost 945 victims more than $50 million, an average of $53,000 per victim. We're way too trusting, Canadians. Way too trusting.

Extraordinary, isn't it? That's a huge amount. I've actually received an email today from someone who says that their friend has been exchanging messages from Mark Ruffalo. You know, the Hollywood actor Mark Ruffalo? Who's the Hulk or something.

He would be on my list for sure.

And this person says she's never spoken to him. They've never seen pictures of each other. It's purely been text. And her friend is completely hook, line, and sinkered and ready to give them a fortune. Completely convinced. And she was saying, what can I do about this? It's horrendous. And you can imagine people giving a huge amount of money because they think, oh, but it's going to be love.

Yeah, they often use fake photos. They often refuse to meet up. And common excuses may involve working away in the armed forces or international aid or charity work.

Or in Mark Ruffalo's case, he's just got very, very angry and is now 14-foot tall and ripped with green muscles.

Yeah. And his muscles are so big he can't actually reach the keyboard very well.

He hasn't got a reliable pair of trousers. He can't go out on a date. He's got plenty of excuses.

The scary thing, though, is the scams can last a seriously long period of time. And that's what allows the fraudster to build trust with the victim. So in your case, right, this may have gone on for months. And it might carry on until he asks for money. And usually the claims are family issues, medical bills, needing money to arrange to meet up because their money's all tied up. And what douchebag wouldn't help out a brand new potential partner? Especially when you've been talking daily for months and want to meet. Have you heard this term pig butchering? In contact with romance scams? I hadn't heard it. Shows you how much security—

No, I've not heard it.

Oh, I thought we'd done it on the show before, pig butchering. Oh, maybe I just mean we stopped listening. Didn't listen. Don't listen to that podcast.

I was just going, interesting. Uh-huh.

I'm sure it's one of your stories is actually— hang on, I'll have a quick search through our past episodes.

Oh no, we figured out that she's the deepfake. So, okay, so pig butchering.

So it means basically priming the victim in preparation for financial slaughter. So fattening the pig. It's so disgusting.

Very evocative.

Yeah, but it's so gross because people are doing what people do, looking for someone to connect with, right? And they do it online now because that's where everyone spends their time. And scammers take advantage of this. And perhaps, I don't know, do we need to lean on dating sites to do more? Is that the problem here, that we can't trust them? I mean, if they're using images that are already taken from somewhere else on the web to use as their dating pictures.

Or they're generating them with, dare I mention the letters AI again, in which case they may not be anywhere else on the web already. And the scam is really occurring when people begin chatting though, isn't it? It's not necessarily even on the dating site. The dating site is the initial hook, but then they're chatting to you on WhatsApp or whatever it is, and it may be months and months down the line before they say, "Oh, I've got this great investment in cryptocurrency. You should really do it too, 'cause I love you so much. Why don't you put some of your money in? I'll do it for you if you like. If you don't know how to do it, just wire me this money." And bam.

Yeah, and one of the things as well, I was reading, and I have a link in the show notes from a CBC article where someone was trying to catfish this woman, and then eventually explained why he did what he did and how he did it. But one of the things he mentioned is I create a new profile on Instagram, I go out and try and lure in as many women as I can that fit the profile that I'm trying to get. And then I need to get them off Instagram as soon as possible. Because if someone finds out and reports it, the account gets taken down. And then I've lost contact with all the other people I've worked on. You really want to establish a second means of communication quickly, which could be a warning you know, if you're talking to someone. But it's kind of scary. So during this romantic time, keep your wits about you. If you meet someone new, don't not tell your friends and family. So at least in your case, what you were reporting earlier, Graham, they've told a friend and family, but they're not listening to the friend and family saying, take heed.

No, they're not listening to them. Yeah, take heed.

That's the hard part, isn't it, is when they don't listen because the reason why they're so good at what they do is because they really make you believe that you are the one and they are the one. And it's really hard to convince people otherwise because when they say, you know, you make first impressions within the first microseconds of meeting someone, it's really hard actually then to go back on that. And yeah, that's how come they're so successful. It's just, it's so sad when even when you actually see the signs, you just cannot convince the other person that it's not true.

Yeah, I agree. And I think my best advice is literally rather than attack someone in Superdrug, wait for them outside, right? A comfortable distance away, and then say something romantic. When they walk out, say something "Hey, did you get what you came for?" And wink or something.

That'd work, right? Sorry, what? You were gonna mug me. It sounds like you're gonna mug me. What's going on? I think you've been out of the game for a bit too long, Carole. Yeah, she found her guy at the zoo.

This episode of Smashing Security is sponsored by Kolide. Wouldn't it be great if a device which lacked compliance or lacked security was denied access to your organization's SaaS apps and other resources? Because this would mean that the hackers who had nabbed the unlucky employee's credentials, for example, could not gain access to your assets. It would effectively lock them out. Welcome to Kolide, a world where access is only given to approved, secure devices. As the administrator, you can manage every operating system, even Linux, from a single dashboard. Another bonus of Kolide: employees can often fix their own problems without involving IT support, meaning less resources are needed to effectively operate a more secure environment. Kolide is the device trust solution for companies with Okta. Kolide ensures that if a device is not trusted or it's insecure, it is denied access to your cloud apps. Learn more at kolide.com/smashing. That's k-o-l-i-d-e.com/smashing. And huge thank you to Kolide for sponsoring the show.

Shortcut compliance without shortchanging security. That's what Vanta can bring your company. Expanding the scope of your security program with Vanta's market-leading compliance automation, saving your business time and money. Vanta has over 5,000 customers around the globe who are saving over 300 hours in manual work and up to 85% of their costs for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more. And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on. From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time. And as a special bonus, Smashing Security listeners can get a stonking 20% off Vanta. Just go to vanta.com/smashing to claim your discount. That's vanta.com/smashing. And thanks to Vanta for supporting the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security related necessarily. Better not be. Well, my Pick of the Week this week is not security related. I am trying to stop my brain turning into mush. Started a bit late. Well, yes, possibly, possibly. But I realised I need to do more than just play chess badly.

Week. Pick of the Week. So I've also been playing a little bit of Sudoku, which I'm sure you guys have all played in your time. But I, you know, I was doing a bit of Sudoku and I thought, I'm not entirely happy with this app. So I went into the App Store and I was looking at Sudoku apps and I was trying them out. And they've got bad user interfaces or they've got intrusive ads or they're really unforgiving because if my fat fingers happen to press the wrong button or the wrong square, it goes, "Oh no, you've made a mistake. Oh, if you make another mistake, you're going to, you know, forfeit the game."

I know what I was trying to do. I just pressed the wrong button. Don't be so mean, I'm thinking. Why should I?

Are you not worried about your stress levels and your heart? As opposed to your brain mush-ness? A little bit. And also, you know, we were all worried when King Charles had really sausage fingers.

I think— yeah, oh, that's true. Yeah, I could get— Go get checked out. Go check out my sausage fingers. Someone might come on to you. Anyway, I thought there must be something which doesn't have a bad user interface, doesn't have intrusive adverts, can handle your sausage fingers. And it can handle— sausage finger compliant. And I found it at sudokuexchange.com, which is a lovely, beautifully designed little website with lots of sudoku exercises. It suits all of my requirements. I'm very happy using it. I'm not very good at sudoku. I've got to get up to speed. My partner, much faster at it than me. But I like this little website, so that's what I'm using. So my pick of the week is sudokuexchange.com.

Mm. Very good. You could have got the same from a Sudoku book as well. Yeah, right.

Smokes. I have something for you, Graham, what you could do. Go ahead. This is what my parents-in-law do. Every morning when they wake up, they both have the same— two copies of a Sudoku book, and they race each other. Oh my goodness. Oh my God. They go, okay, we're doing number 59, go. And that's what they do before they do it.

That's it, 59. Anyway, yes. So, back to the drugstore. Lianne, what's your pick of the week? Moving on quickly.

So my pick of the week this week is for people to get used to being a bit more comfortable with the unknown and to inject a bit of spontaneity into their lives. So— Oh, hello. Yeah. Carole, Graham, picture this, right? You're both on stage and the crowds look at you and the host of the event says, now, how do these two people know each other? So you and Graham, and the voices in the audience all call out, but one's louder than the rest, and they say coworkers. Great. So the host nods and then asks another question. So where do they work? And then you hear a choral sound, and the sound is, in an abattoir, they demand. And then the host then turns to you and says, right, you're both coworkers who work in an abattoir. Begin your scene in the style of a 1950s musical. How would you both feel about that situation?

I'm not super familiar with 1950s musicals, so I would feel out of my depth a bit on that, but I do love a bit of improv.

That's exactly what it is. So for the past two years, I've been spending my time getting used to situations like that, not working in an abattoir, which is the most requested place of work in a scene. Really? Absolutely. Gross.

Yes, not in real life, I think, only in improv situations. Just in improv.

Yeah, I have. Yeah, they are really good at even when it doesn't land, they take it so easily. And I think that's such a great skill to learn. So for a decade I've been keep saying to myself, I'm going to do a course in improv one day.

And I bet it helps a lot with podcast life too, right? Because yeah, during interviews and when you're chatting with people, you can just listen and then think at the same time. I think that's almost the skill is you need to take in and also come up with something.

And along with the word prolapse— let's not go into that. But I've been performing as part of an improv group, and I couldn't have done it without my pick of the week, which is the Laugh at Leeds Stand-up and Improv Comedy School. And I've always been a fan of shows like Whose Line Is It Anyway since I was a kid, and I was always in awe of their ability to kind of think on their feet, you know, and I guess even more so be totally unfazed when a joke bombs or doesn't land. I don't know if you've watched any of that show recently, revisited or anything like that. Yeah, so the first few weeks you just get trained on two principles. So one is listening, and then the other one is a principle called "yes, and." Whose Line Is It? It wouldn't matter if you didn't know anything about a 1950s musical. You just have to roll with it. And it's just a really great thing. And what I think we could learn from in cybersecurity about it as well is that yes and principle is, yeah, when people come up to you in the business and say we want to do something, instead of just saying no, we can't, yes and maybe we can look at it from this security angle would be a really useful thing to do. So that is my pick of the week. Learn improv if you can, and if you can learn it at Laugh at Leeds.

Sounds like you are a perfect candidate for Sticky Pickles. Just saying.

I was told some years ago I should go and do an improv course because it would help with my public speaking. So I did go on one, and at the end they were going around everyone and saying, you know, you were really good at this, you were good. They said, and you, they said, point to me, you're really good at bullshitting. They said, you're really good at just—

Well, obviously not if they spotted it, you know, that's not how bullshit works.

Touché.

Carole, what's your pick of the week?

As I warned you, I have a gruesome recommendation for my pick of the week. I wanted something extremely anti-Valentine's-y, right, to counterpoint my story that I've mentioned earlier. So this is a TV series, not a new one. I think it came out, first aired in 2017, called Mr. Mercedes. It's based on a famous trilogy by a horror god, Stephen King. Now, as a kid, I read a lot of Stephen King. I really liked— me too. Yeah, right? I just loved it. Anyway, so this book, Mr. Mercedes, is what King calls his first hard-boiled detective story. So you have this retired detective, Bill Hodges, played by Brendan Gleeson, who is haunted by his old unsolved case, Mr. Mercedes. And this is where a nut job stole a Mercedes and drove it through a line of job seekers at a local jobs fair, okay, killing 16 people. Horrible, right?

Cheery. Yes, like you said, right.

I know, I told you, not cheery. I warned you. And the guy driving the Mercedes and who killed all those people was never caught. And we have a retired detective who is curious about tying loose ends up and starts asking questions, giving this Mr. Mercedes a brand new person to toy with. And the game goes pretty dark pretty quickly. I cannot underline enough how dark this is. I could not watch scenes at all. I even had— My husband and I, last night, we were watching the last episode, literally, where I was humming. He was reading the text to himself. He wasn't telling me, and I was humming, and my eyes were shut, and my fingers were in my ears, 'cause I just— The scene was just too disturbing. But the best thing for me is the soundtrack. It's so good. So, your detective has a mixtape moody blues soundtrack that's always playing, some old country, really gorgeous stuff, curated so well. And your psychopath is more into the alternative indie rock with punkish overtones, stuff from the '90s. And both of them, great tunes. I loved it, loved it, loved it. So if you want something super dark and non-romantic at all, my pick of the week, Mr. Mercedes, currently streaming on Disney+.

Well, okay. I just found out doing research for this that actually the series I watched, which I thought was a one-off, is actually one of 3 series.

Now, is there an actual resolution to this if I'm going to But the first series is sort of encapsulated. The first one ended well. invest into this series?

Yes. Okay, well, that's good then. All right. So I have no idea where it goes from now, but, yeah, there you go.

Well, thank you for that, Carole. Very cheery. And that just about wraps up the show for this week. Lianne, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What is the best way for folks to do that? So I'm on LinkedIn. I'm the one with the really humble headline banner. You can find me under Lianne Potter. And you can follow us on Twitter @SmashingSecurity, no G, Twitter now has to have a G, and Smashing Security is also on Mastodon. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

And big fat thank yous to our episode sponsors, Kolide and Fanta, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog, more than 357 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye. Bye.

Thank you, Lianne. No worries. Thank you, Lianne. How was it? Oh, I loved it. Thank you so much. I was so incredibly nervous to start with, but thank you.

Oh, you didn't sound nervous at all, so that's cool.

That's the improv in it.

There you go.