Cyber Crime Junkies

Protecting Identities - Best Practices and Fraud Prevention

Cyber Crime Junkies-David Mauro Season 5 Episode 38


Fraud Expert Ayelet Biger joins us. Find her at her site:  https://scamranger.ai/

Chapters

  • 00:00 Introduction and Overview
  • 02:49 Shining a Light on the Victim's Perspective
  • 10:00 Creating a Seamless User Experience
  • 12:23 The Role of Behavioral Biometrics in Fraud Detection
  • 15:16 Distinguishing Between Legitimate Users and Cyber Criminals
  • 20:06 The Ecosystem of Credit Card Fraud and Identity Theft
  • 26:15 Bank Liability and Fraud
  • 28:09 Common Scams
  • 36:03 Pig Butchering Scams
  • 39:27 Crypto Investment Scams
  • 44:43 Red Flags in Scams

Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!


Fraud Expert Ayelet Biger joins us. Find her at her site:  https://scamranger.ai/

 Protecting Identities: Best Practices and Fraud Prevention 

Chapters

 

00:00 Introduction and Overview

02:49 Shining a Light on the Victim's Perspective

10:00 Creating a Seamless User Experience

12:23 The Role of Behavioral Biometrics in Fraud Detection

15:16 Distinguishing Between Legitimate Users and Cyber Criminals

20:06 The Ecosystem of Credit Card Fraud and Identity Theft

26:15 Bank Liability and Fraud

28:09 Common Scams

36:03 Pig Butchering Scams

39:27 Crypto Investment Scams

44:43 Red Flags in Scams


Dino Mauro (00:11.906)
Well, good morning, everybody. I am David Morrow, host of Cybercrime Junkies. And in the studio today, we've got a great episode. We've got Identity and Fraud Protection Expert, I yell it by your and and I apologize if I just mispronounced your last name, but I think I got your first name right. And we're going to discuss a whole host of things like identity protection, best practices. Here's some stories talk about fraud prevention and kind of learn

how to keep ourselves secure, our families, but even equally as important, the organizations and the brands that we serve in our day job. So, I yell it, welcome to the studio.

Dino Mauro (00:59.758)
Join us as we go behind the scenes of today's most notorious cybercrime. Every time we get online, we enter their world. So we provide true storytelling to raise awareness, interviewing global leaders, making an impact and improving our world, translating cybersecurity into everyday language that's practical and easy to understand. We appreciate you making this an award winning podcast by downloading our episodes on

Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and now the show.

Dino Mauro (01:49.848)
Thank you so much, David. So did I pronounce your last name right? Was that okay? Bigger Levine. Okay. Close enough. I apologize. So explain to everybody that's listening or watching kind of what your current role is. And then let's back into kind of what's driven you to kind of get there. Sure. So currently I'm in the process actually of starting a company. I'm working on something new in the area of online scams. I recently launched a podcast.

called Scam Rangers. Yep. And we're going to have links to that in the show notes. So check out that podcast. You've got some really good guests on there that kind of walk people through ways to protect themselves. It's good. It's how we found you. Exactly. The goal is to really take the perspective of the victim, because often when we talk about fraud controls, and I'm sure we'll cover that today, we talk about the financial institution or the merchant or the

e -commerce company and their perspective of low false positives, high detection rates, lots of KPIs out there. And oftentimes that part of, wait, but there's a person who's impacted financially and emotionally that needs to be, in my mind, taken more into consideration in decisions on processes and technologies that are folded into the fraud stack.

The goal of the podcast is to shine a light on the victim's perspective and give more insights and more thoughts on about that in the process. Excellent. And I assume that's available everywhere. People get podcasts. Yeah. Wherever you get your podcasts. Great. And then walk us through what your work history has been. Like how did you get to

saying I'm going to have a podcast, but not on how to, you know, best ways of cleaning a house or best ways of crafting or best ways of, of, of designing cars or like why fraud prevention? Like walk us through what, what, what triggered that. I would love to do a podcast on design, that's, know it's positive. Yeah. A lot more optimistic and positive, but, we try and keep cybersecurity positive. Absolutely.

Dino Mauro (04:14.99)
So my journey has been, started my career at IBM Research Labs and I worked there as an engineer and a researcher for a few years. And I then left to join RSA Security where I worked for 11 years. And I focused there on identity protection and fraud detection. So two intertwined areas, but one is more focused on protecting.

online banking systems and fraud stacks. And the other one is focused on enterprise identity access. There are. Yeah. Let's, let's break that down a little bit. If you don't mind. Is that okay? Because, because people throw terms around all the time. And for those that aren't even, and we have people that listen to this podcast that don't really even under, you know, like they're not cybersecurity people. Like they're just business owners or they are, you know, in various professions. So when we're talking about

fraud protection. What does that mean as opposed to identity protection? So when you're talking about the identity stack, that's more authenticating when you're at an organization. So for example, when somebody logs in, they're able to actually verify that they are who they are. And with that comes controls with that comes you have the ability to see X, Y, Z information, but not more than that because of your role. Is that what that is?

Yes, so when I talk about enterprise identity exactly, it's authentication, authorization, it's are you who you claim to be and what are you authorized to access? And also what are the tools and systems that we're trying to protect as an organization? So if I have, if people still have on -premise applications and then there are cloud applications, then really analyzing the environment and understanding who should have access to what.

What are the risk factors based on classification of the data that resides within application based on the business processes, the risks of the business? So it's not just authentication. It's really taking a holistic approach at the data, the risks, the processes, the regulations, and which users should access what kind of data, especially admins who have kind of keys to the kingdom and have more.

Dino Mauro (06:32.598)
rights and are considered privileged users. All of that needs to be taken in consideration when deciding and creating multi -factor authentication policies, access policies and authorization policies. So I dealt with all of that at RSA and worked with any type of organization really to determine what their needs are and what solution would best fit their needs. Excellent. And then from there,

What happened next? So I went back and forth between, as I mentioned, fraud and identity actually started on fraud side. So I worked as a product manager on a team that developed controls to help financial institutions protect their online banking systems. So when I talk about fraud tools, it's really looking at the specific user's activity within the account all the way through the account myself. from a...

all the way through the account lifecycle. So from account opening to then the activity within the account and saying, one, is this user who they claim to be? So is it the right user authentication, login? But in online banking, as opposed to enterprise access, there's a very large concern with regards to friction. How do we make the customer journey, this is consumer accessing, how do we make the customer journey very, very seamless and protect them

in a subtle way, in a silent way where they don't have the notion that necessarily that someone is looking at their device and things like that. we try to collect. go through, start from the seat of the customer and say, how many clicks is it getting to get here? How much verification is needed so that we can keep them safe, but still not make it such a hassle to use our site that they're going to go to a competitor? Exactly. Exactly.

So that's the concern. How do we balance security with usability for the end users? yeah, I think that's one of the challenges the whole industry faces, right? Exactly. But when it comes to consumers, I think the bar is higher. When it comes to enterprise, absolutely need to balance that and create a good user experience because we want our employees to be productive. But when it comes to consumer, it's also the challenge of if it's not good enough, they'll go to a competitor.

Dino Mauro (09:01.014)
That's a good point. Like an employee might gripe or it might be a little hassle, but they know it's almost a condition of employment. Whereas you don't have that control over a customer. So that has to really, it's a much more difficult challenge. And how do you guys do that? you use, do you engage with the, the graphic design team with the website hosting group? Like how do you guys implement that?

So I would say when it comes to creating fraud controls, there are many stakeholders involved. Absolutely those digital teams and marketing and everyone product, everyone who's responsible for the metrics that are customer acquisition and customer retention and offering more products, they're all involved and they're all stakeholders. But of course we work directly with a fraud control team. So those teams that determine the strategy, it's always a layered approach and it's always okay.

How do we create that seamless experience by collecting other elements that are maybe hidden for the user? So not always multi -factor authentication because you're doing, you want to perform this payment or you want to do bill pay. You can't authenticate the user multiple times in the session, but we all know that login protection is not enough. And even if the user had logged in successfully past multi -factor authentication and login, we still need to verify every point.

every point of risk within the online banking session. So in order to do that, we collect other elements that can indicate risk. Like what? So again, layered approach. So there are, would say are a few categories of data that could be collected. The first one, and I think the long, the longest one in terms of the years that this has been going on, that we've been doing online banking fraud detection is IP intelligence.

is the IP location, one that we've seen from this user and other elements of the IP. Another category is device elements. And this can be a range of cookies, device fingerprints, browser settings, language, everything that can be collected. are a lot of Because there's a lot that comes with us when we log on a site. There's a lot that the site can see about us.

Dino Mauro (11:25.23)
and our history and all that other baggage, all those have elements. And so if there's red flags in there, you want to limit. Right. So basically, fundamentally, the question we're asking is, is this the user we've seen in the past or is this someone else? kind of creating authentication through a device. And then there's location, as I mentioned. And then there's behavior. What is the behavior of this user? What time do they usually log in? What page?

And they never logged in, but now they're logging in trying to withdraw $10 ,000 immediately. Right. That's a red flag. Right. So looking for behavior patterns that are not typical for this user. Right. And then there's a whole cat. So I would call that behavioral analytics. And there is a category of that's really evolved in last few years and also kind of talking about my journey. Then the company that I joined after RSA BioCatch focuses on behavioral biometrics. And that is actually

looking at the user interaction with the device. So basically how users type on their keyboard, how they click with their mouse, how they interact with the mobile device to say, to answer two questions. One is, are you the user that we've seen in the past? So kind of that form of authentication throughout the session. For example, if you're left -handed or right -handed or you type very fast or very slow, things like that, that change over time. you can capture that, you have visibility. And think a lot of people don't realize that.

I mean, those, those that are listening that are in the security field that are professionals probably know that already, but a lot of business owners and regular people probably don't know that. Yeah. And I would say that for a long time, it was considered kind of, does this really work? It's dark magic. Can we really tell who someone is based on the way they interact? And I think when you look at something throughout the session and you look at the past, we've, I think companies like bio catch and other

behavioral biometrics vendors have proven that it's very effective. And I would say what's what in my mind is even more effective is looking at patterns of good versus bad. So I'll give an example or two to explain what I mean by that. Please. And first of all, what's interesting is that you guys can see that, meaning you can design a website for a bank or credit union investment firm in the finance sector. And you would be able to capture

Dino Mauro (13:53.26)
the way I'm using my phone. Like, you know what I mean? Like, how could you even see whether I'm using my right hand, left hand, whether I'm typing fast, whether I misspell the same words over and over, which I tend to do given what device I'm using, right? But those patterns could easily identify me or identify somebody else if they're not doing them. Exactly. And just to be clear, they are not using a camera.

or recording that it's all through the interactions that common keystrokes, mouse movements, gyro on the mobile device. it's, and it's, you're not across the street with a telescope and a box of donuts like zooming in on my phone. get that. Right. It's more, it's more just the looking at the data that we're inputting. Right. Right. And, actually not the actual content of the data. It's more the

the pace and the pauses. So I'll give the examples of how we can distinguish between kind of good and bad behavior. So for example, when someone is opening, imagine someone is opening a new account with a bank. So what they're doing is they're opening a form starting to fill in personal information like name and address and social security number and other details. And they will read the

terms and conditions and pause and choose a credit card design if it's a credit card application. So some differences between legitimate users and cyber criminals. So when a cyber criminal opens a new account with stolen information or synthetic ID, first of all, they will know the process really well because they do like 50 or 60 of these a day. So they'll jump only to the mandatory fields, complete the information required, not start.

stop and read the terms and conditions. They'll do it very fluently from a process perspective. However, when they enter the personal information, they're going to use their short -term memory because they're doing copy paste from a list or they're remembering something and then they're going off screen. so there are differences in the way people input data if it comes from their short -term memory or their long -term memory. And if it comes from their long -term memory, the typing will be more continuous.

Dino Mauro (16:12.11)
there are less pauses, which we'll see in cases of a legitimate user. So those are some examples. So that's the third category. We talked about device, IP, behavioral analysis and behavioral biometric. So these are some of the methodologies used for fraud detection. So where does this element sit in an organization, right? If you're working for a large company, let's say,

Let's say it's either a bank or a system or like one of the three major credit bureaus like, you know, we were talking to somebody recently who's in Insider threat an insider threat group. They kind of sit underneath the cybersecurity group. There's HR. There's legal There's all of these different roles on a day -to -day task, but they all kind of have the same mission involved they just have to look at different metrics and different data and apply different standards and and

skill sets. Where does the fraud prevention, fraud detection arm of an organization typically sit? Obviously, it's going to be exceptions, but as a general rule. Obviously. I would say it really evolved over the years. Initially, I think it did sit under cybersecurity. To clarify, cybersecurity is always a stakeholder in any decision. They are not necessarily

the ones that are going to look for the technology and decide what the fraud stack components will be, but they'll always need to give a thumbs up and verify that this fits the standards of the organization. Typically, because we're talking about customer facing controls, this sits under either product. the product, and we've seen a lot of kind of cross -functional teams, it sits either under the product they have their fraud

fraud teams who are dotted to cybersecurity or kind of there's or risk. There are a lot of many organizations that have a risk chief risk manager, chief risk officer, and the fraud team will report to those people. And I would also note that it really depends on the country. The model that I talked about is in the U S but we've seen other countries where it's still directly reporting to cybersecurity. And that would be the CISO or CIO depending on how it's organized.

Dino Mauro (18:37.73)
Right. Interesting. Interesting. So, you know, a recent National Geographic show, Trafficked, was on last night and it was talking about it had our friend John DiMaggio on and they were talking about how some of these criminal gangs, historically drug dealing gangs like, you know, the Crips and the Bloods and the I mean, like violent gangs, street gangs like

with their organized, their, their, their, they're very well known, right? that they have been getting into identity theft and credit card stealing and opening in fraud and things like that, because a lot of it has to do with the criminal penalties that are out there, right? Because they get caught doing that. They might do five years in a federal prison as opposed to selling fentanyl and it kills somebody. They get charged with murder and it's in a state penitentiary.

So, if anybody knows anything about our judicial system, going to the federal penitentiary for a shorter period of time is much easier to rebound from than a state penitentiary. Typically speaking, generally, there are exceptions, of course. But are you seeing, in terms of the stories that you hear and what you're seeing, who's kind of behind driving a lot of this,

credit card fraud and a lot of these fake accounts, account takeovers, things like that. It's a huge ecosystem. And as you say, it's growing. And I think there are a few reasons for it. One of them is what you mentioned, law enforcement penalties around it. I think our system of law enforcement and tracking and not to mention regulatory is just starting to keep up with

the craziness that's out there. But as you mentioned, these are organized criminal rings that are well established. I think they see themselves kind of as white collar crimes versus these are not considered violent crimes, although the emotional and financial impact. it's brutal. they are brutal. And there are cases of suicide. And so you

Dino Mauro (21:03.468)
I don't know if you can call it murder, but it's, it's devastating and it's devastating to people like those violent crimes. think that can we go down that path just for a second? Like when somebody gets their identity stolen or their bank account taken, mean, is there, there's, there's two theories out there. And one is some people don't worry about it because they think the bank is going to take care of them. And then other people are so paranoid that they don't think at all that there's any

resolve for them. What is the reality out there? mean, if somebody takes over your bank account or they file false tax returns, they start doing this, it could go on for years and years, right? It can follow you. could destroy your credit, your FICO score, which in turn stopped you or hinders your ability to get an apartment, rent a car, buy a car, buy a home, invest, things like that. What are you seeing? I agree. I think it is a nightmare.

and it takes years to recover. And it depends. I'm not going to say that all cases are the same. of course, let's try to organize it a little bit. So identity theft that result results in use of identity to, to conduct things that will impact credit scores and will, you know, apply for false tax returns and all the things that could happen will result in someone having to really

clean up and tidy up the mess for a very long period of time. So the best thing to do is kind of to protect upfront to freeze kids credit scores in advance so they can not have their identity stolen and credit abused because the, I think the challenge is noticing that it happens and it happens in many ways. It's not necessarily because we're negligent, maybe there was a data breach for a merchant that we work with or.

another company, even an enterprise company that we work for could have a data breach or. Absolutely. mean, we talk about that routinely, right? It's why security is all of our responsibility. know, when we have to have different passwords for every single thing that we log into, we have to, because we can't control what

Dino Mauro (23:24.734)
when we go, if we use the same password, as good as that password could be, if we use that same thing for XYZ site, because we're going to go buy something there, what we don't realize is XYZ site will sell our data, which means our name, address, credit card information, the the password, the account that we created, they'll sell it to somebody we don't even know about. And then that organization could sell it again. But even if they don't,

that third party that we're not even aware can get breached because we don't know anything about that. We trusted the one vendor that we're going to buy something from. And then they have that really good password with our name, our information, everything else. And so now it's being used to create a credit card and incur debt in our name. Right. So I think one of the things that people should do is regularly check and

There are sites like, have you been pawned to see if your email address was involved in a data breach. There are credit checks that we could do. There are alerts. are different tools out there that could alert. Freezing your credit? you credit for kids? I would say you don't want to your credit because you're using it and you're developing it. But your kids' social security numbers could be leaked and leveraged to create synthetic IDs by cyber criminals. So basically taking

a valid social security number and maybe putting different elements of names or misspelling them to then open an account with a synthetic ID. Can people freeze their credit and then unfreeze it if they're going to, like if they're not currently in process of buying a big ticket item, right? You can still freeze your credit and use your credit cards. You can still freeze your credit and improve your FICO score, right?

that's something that I'm not very familiar with while, while still transacting, but definitely for, for, for kids for sure. Because even if you're, if you're active, you know, you'll see that there are transactions. Again, we need to look at our credit card statements. need to check what's and see what's out there and get the alerts. So, so I definitely recommend to.

Dino Mauro (25:45.774)
to be aware and to follow whatever your identity is involved with. But for kids, we don't do it often because we don't have, we don't think about it. Most people don't, most people don't, right? And then, and they can use that child's identity for 10 years. They take a eight, they take an eight year olds identity. They can use that for a decade before that child's 18 and actually looking at their credit, if at all then. Now you talked earlier about people thinking, my bank will take care of it or.

or not. just want to also mention the difference between the bank's liability in different scenarios. So when it comes to account takeover fraud, or even identity theft, if someone steals my credentials and is able to log into the bank account on my behalf, which we call account takeover and perform unauthorized transactions, the bank is liable and the bank will help. There's a regulation called reg E.

And it it drives that, that liabilities for banks to reimburse customers for case of account takeover. And that is why banks are creating really great fraud detection platforms because they're also liable. Right. And they're losing all that money. when it comes to online scams, where someone is tricking me into transferring my money and I do it and I authenticate and it is me and I can't prove that it wasn't me.

In this scenario, the bank today is not liable in any place in the world. There are regulations coming in the UK, by the way, to mandate reimbursement and they're hot topic of conversation these days. But that scenario today is not covered. And a lot of people, because they know that the bank will reimburse them for unauthorized payments, they think that they might be covered for scams as well. But that's not the case. It's really what are some what are some common scams?

that people obviously we hear about online dating scams, hear about education scams, there's a whole host, but what are some of the most common that you see? Wow, so many. They're very, very creative. So there are delivery scams, like your delivery, you know, it could be from UPS or USPS or whatever your delivery.

Dino Mauro (28:09.718)
address needs to be confirmed, please click on this link. And then you need to pay to get something advanced fees scams. Now we see a lot of fake job scams. And that's, I would say the hottest topic because there were layoffs and the job market is a lot of people searching for new jobs. And I've heard a crazy story where someone actually started thought they applied for a job or they were offered a job at one of the cryptocurrency companies.

And they thought they actually went through an interview process and they started to work. And then they were asked to buy something to, to go onto the website and buy, start buying something and spending money to buy a computer and different things. And it was all very weird to them, but that was a whole scam where the scam. They lured the employee in. Yeah, they lured the employee in the employee started to work, but you know,

We need to set up your direct deposit or we need to set it. We need to have you buy this element that will go with your company computer that we're going to ship you or something. Right. Go buy this dongle or go buy this personal thing. A lot of our employees choose this. People go and do that. And that's really what the scam was. Right. Because now they have your multiple levels. It's definitely that. So they pay for something that you give their credit card details, but they give their think about all the information we give to an employer.

All that. Absolutely. They know everything. exactly. Well, that's and that's pretty common. And I mean, we also know that on the on the other end, there's like deep fake scams where people are applying for remote jobs. The FBI warned about that last summer. But this is different. This is where we individuals as employees can get can can get scammed. Exactly. What are things we have?

Yeah. Let's go through some of the other scams and then I want to hear what people can look for. What are some of the red flags? Absolutely. You just mentioned DeepFake. so this is a really interesting scam where someone's social media account is hacked and that happens all the time because they don't use multi -factor authentication. And data breaches lead to leak of passwords that are used across multiple places. So social media accounts are hacked. And now

Dino Mauro (30:31.96)
cyber criminals are actually taking over those accounts and using deep fakes to create videos, impersonating the real account owner saying something like, I've invested in crypto and I've got these gains. So the followers who trust this individual will now believe that they invested in crypto or they did this thing and they'll buy into that as well. So recently a news article about this.

this type of scam as well. Unbelievable. how, what could people look for to, to see those red flags so that they don't fall prey to it?

First of all, I want to say that it's important to look for red flags and I can talk about a few, but I also want to say that these criminals are very, very sophisticated and people will fall for scams and it's not their fault. So I just want to put it out there that even if it can happen to me and I look at red flags all day, it can happen to you. I just want to put it there. yeah, like absolutely. I mean, we were

searching for a car for my son years ago. This was maybe two years ago and there was a great car at a great price. But then all of a sudden it was, think it was on like Facebook marketplace. It wasn't even through a dealership, which is like a huge red flag. But we're like, that's pretty cool car. That's a good price. And it said it was local. And then it was like, I'm in the military. I can't do this. It's going to be somebody else that'll pick it up. And

A lot of people, even if it's not a car, a lot of people will buy, you know, furniture to rehab or something like that on Facebook marketplace. Anything like that where somebody different is going to show up and you have to pay this third party in order to get this. And you have to pay ahead of time before you can actually see the item. Anything like that is a red flag, right? Absolutely. Absolutely. And, and then the next thing is a form of payment. If they want to pay, if you want you to pay through Zelle,

Dino Mauro (32:41.592)
Today, unfortunately, there are a lot of issues with that. And then that's another red flag on top of everything that you mentioned. Someone else will come to pick up is very, very common for these scams. So I recommend either cash or some other form of payment where you know that you can see the money and you have it in your hands. And yes, Facebook marketplace is heaven for scammers. So definitely be more cautious when you're on these common market. Yeah, it's nothing against.

Facebook, the company or the platform, it's the people that are leveraging it just like Craigslist and things like that. Exactly. And never pay a fee to sell something like if you're selling something, never pay a fee for it. If you are, I think there are lot of red flags of grammar there and a lot of people are saying, well, now with chat GPT, they'll be able to I just about to say that. very clear messages. But the thing is, they're doing it.

intentionally, they're trying to reach those people who will not notice the grammar mistakes. I posted something on LinkedIn a while back saying is this sloppy or intentional with a scam that I got that was very kind of sloppy, but it was so I don't think it's a it's something that it's a grammar mistake by by kind of by mistake. I think it was intentional and

they want to catch the people who will not notice the grammar mistakes. So kindly, sir, you you see it's not American English. Don't don't don't or think again, maybe. And then some other red flags are if they're asking you to this is more advanced, maybe to download a remote access tool or to identify with a crypto crypto wallet interface or something that

and it's completely disconnected from the whole conversation. I would also say that some of the most successful scams today are investment scams, crypto investment scams. absolutely. We've had, we've had victims on here and they're very bright people, but they, know, a lot of people want to get in the crypto investing because of the great returns allegedly. Right. And, there's so many people that have had their wallets just taken.

Dino Mauro (35:06.382)
I mean, it's really kind of shocking. have a whole episode on Jerry Cotton, the CEO who created the largest exchange in Canada and had hundreds of millions of dollars. But it never happened. He was just taking money in and giving them fake dollars that made it look like you had Bitcoin, but the Bitcoin transactions had never happened. So was almost like a Bernie Madoff.

thing in the sense that I'll give you this really great report, albeit this time it was online and it shows, look, your Bitcoin's going up. That's great. So long as you don't ever want to try and get your money out, then yeah, then and only then would you realize this is just a, this is just code we're putting on a site. You never owned the Bitcoin in the first place. Thank you for your $20 ,000. Right? Right. So, so in the pig butchering scams they're called, don't know what are those? Yeah.

yours is okay. So it's really interesting. These are they start with relationship kind of scam. So here's the flow. So and I'll explain why it's called pig butchering. So it starts with a random, let's say you get a text from me and I say, Hi, Susie, let's are we meeting for coffee? And you're like, this is not Susie wrong number. That's how it starts. It's always like a wrong number. It's always I had your contact, who is this I

deleted my contacts and I got this number all the all these kind of experts with the wrong number right like yeah nature is wanting to help right being helpful so sorry it's a wrong number you're so kind please forgive me for being so messy whatever and then you start a conversation and the other person uses social engineering to start to get you to share personal information

For example, where are you from? What do you like to do? And then you start conversation with this person that you don't know, but it's still relatable to you. They care so much and then they switch and they start showing you a flashy lifestyle. And you said that the people were very smart, but it's really, it's people who could be, could have funds, could be very, very educated. It's really across the spectrum of everyone. And

Dino Mauro (37:31.074)
What they do, these scammers, start presenting a flashy lifestyle. Here's a picture of me in San Francisco. Here's a bag that I bought. Here are all these cool things that I have. By the way, do you know how I have them? I invested in crypto. So it's called pig butchering because they kind of fatten the pig for slaughtering, which is horrible name, but they really convince the person and then they start getting them to invest small sums. And then it's what you described. The investment is never real.

They start seeing a screen with their investments going up, so they invest more. And maybe even at the beginning, they can pull out some funds. and it's very much like the way online ransomware gangs are. And that is they have to build credibility to make the scam, to get the $50 ,000 from you. They'll let you invest $1 ,000. And whoa, look at that. Bitcoin shot up or whatever.

crypto you invested, shut up, take your 1500 bucks. You got it. Right. And if you were smart enough to walk away, you just made money. It's great. But the truth is 95 % and I'm making that number up, but it seems like a lot of people wouldn't because they just did a little. The natural thought is, if I do more, think of how much more we can make. Right. And what we've seen, that's where they fatten them up, right? That's where they're fattening up the pig because

Now they're like, now they've built trust. Now they believe them. Right. Exactly. And these scams are very successful in the sense that people invest all of their money. we're talking about, if you're all the scams that we talked about before the advanced fee or the payment or the delivery, that's like a few hundreds of dollars. These are hundreds of thousands to millions of dollars. And that's why this is the fastest growing scam because it's so successful.

And the extremely sad story behind the scam is that because it's so successful, the crime rings are trying to get more people to perform these scams and they can't get so many criminals who want to do this. So they're trafficking people from China to Cambodia and putting them behind barbed wires in these complexes to actually perform modern slavery, which is scamming other people.

Dino Mauro (39:56.994)
So they're traveling. Yeah. Wait, what? Like, can you can you elaborate on that? Like, yeah. So these are these are white collar criminal organizations, right? As we think about it, right? Meaning they're not physically killing people, right? Directly, directly anyway. But they but they are trafficking people from one country to another to do to do what? OK, so, yeah, there

And by the way, in episode three on scam rangers, there's a whole episode on this topic on human with an expert on human trafficking who kind of really is following this very closely. Yeah, this is shocking. This is shocking. They need manpower. They need person power to be able to scam other people. They need people who will sit on their phones and talk to other people. And it's again, it's so successful that

They'll do human trafficking to get people to put on their desks. What they're doing is they're posting on social media sites and other through other means and are convincing people who live in China, even people, you know, who are very educated and they're offering them jobs and high salaries. So, for example, there was someone who wanted to be a chef, a Chinese person who wanted to be a chef and came to Cambodia to work in the restaurant business.

other people looking for different jobs and people who are caught in romance scams and think that they'll come and meet their loved one. When they come to Cambodia, they're actually kidnapped to work in this compound of pig butchering scams. my gosh. then they, wow. And then they sit for 18 hours a day, 16 to 18 hours a day and scam people. And you talked about violence.

those compounds are very violent because people don't want to do that. It's not only being trafficked, it's hurting other people that they don't want to hurt. But their conditions are horrible. There's beating and unbelievable. Very hard. It's very, very sad. So who can't? So again, to protect ourselves and our loved ones and our kids as they travel abroad or our friends and family that travel abroad, we can always. It seems so obvious.

Dino Mauro (42:21.418)
except that the social engineering is so persuasive, right? They appeal to what matters to the person. They give the person a little bit of what they need and they build up credibility and then they go in basically for the kill. What what what organization is tracking down these these human trafficking slash scam organizations like who's it? Is that Interpol? Is that

Are we, is the U .S. working with Cambodian authorities? Like, how are we going to at least monitor or contain it? So there are international organizations and I will say that the Cambodian government is getting pressure from Chinese government and other countries where their citizens are being trafficked to do more. So they are.

doing a little and they are finding some of these scam compounds, but there's also a lot of corruption. And that's why some of these countries were selected to perform these scams. a lot of these scams belong to cousins of people who are in the government. That's what I was going to say. They're being brought to those countries for a reason, because there's not great extradition or we don't have good visibility into it or good collaboration with the

current ruling party. Right. I would say it's not except for the US wanting to do good in the world. It's not kind of the US's responsibility. Right. But the victims of these scams are vastly here, mostly in the US and Europe. And I think that is becoming a huge concern. Yeah. So so in terms of the scams, we've talked about

romance scams, the pig butchering scams, the PayPal Amazon account scams. That's pretty common. I would think a lot of people use PayPal and Amazon. What are some of the red flags to look for for those scams? And absolutely just wanted to mention bank scams too. Yeah, I was just about to. That was next on my list, like the bank impersonation, the bank scams. let's deal with the PayPal Amazon ones and then get to the bank ones.

Dino Mauro (44:43.682)
So I would say whenever you get a message from Amazon, and I know that Amazon people, have their apps and they use secure communication channels. So first of all, a kind of rule of thumb, if something is too good to be true, like the car story you mentioned, it probably is. If something looks odd to you, go check. Go check that you perform that Amazon purchase or that Amazon has put in their...

secure communications channel, a message to you, same with PayPal, same with any merchant really, any e -commerce company or merchant that you work with, go and check in your messages because they communicate with you in their internal messaging platforms. When it comes to a bank, would say always initiate a call to the bank. Don't have them call you. And if they do, sometimes the bank will call you and it is legitimate. I just got a call yesterday from the bank and it was legitimate.

Or if a bank sends you an email with an 800 number, don't call the 800 number in the email because believe it or not, they buy those 800 numbers and they staff those desks. What you need to do is just open up, get online and find out the actual number for the bank and call that number. Right. Or call the number at the back of your credit card. Exactly. Right. And,

So definitely kind of make sure that you initiated your proactive. I would say the most fundamental basic one, especially for pig butchering scams, don't talk to strangers. That's something that we teach our kids from day one. Don't talk to strangers. If you have an SMS from an unknown sender, take a second. All your unknown sender messages should be always suspicious. Try to think about is this legit? Is this not? If it's a known sender, again, I'm not saying people are not hacked.

But also think about it, contact the person. There's the grandfather scam, which is very, very sad where they call someone or text someone who's elderly and they say your son is arrested under arrest. And here you can talk to this person and then they give them someone who's crying. So the voice is kind of obviously not going to be. And the grandparents and you need to bail them out. And then the person says, don't talk to my, don't tell my parents that I did something wrong and just, just come and save me.

Dino Mauro (47:02.464)
And then the grandparent goes to get money and send it wherever they need, et cetera, et And it could be the authorities asking for gift cards. So of course, authorities will never ask anyone to pay with gift cards. No, but sometimes it's like you have to pay the bail bondsman. can you, and they're kind of, you know, I mean, they're, they're, it's a little shady for most people that aren't involved in the legal system.

to pay a bail bondsman, that's a new experience at least, right? And, and, no, we hear about that one all the time. Again, it gets to the, it gets to like the neuroscience of it, right? Yeah. Because they rest of the action would be called the grandchild or called, you know, call the grandchild on their phone, but you don't act rationally because you're terrified this Because they have hijacked your amygdala. They have hijacked the part of your mind that is

flight or flight and it does it blocks the neocortex part of your mind which is the part that deals with rational thought. So even though you know better right you can't think better until you pause and if you pause for a minute or two it biologically lets your mind process a different part of your brain so that you can actually go this doesn't make any sense I'm going to go make that call but that's why there's always a sense of urgency.

That's why there's got to be a sense of urgency. Somebody's in jail, somebody's in the hospital. Do this within 24 hours or within the next couple hours, otherwise your account is going to be destroyed. And there's a reason for that. And it's biological. has to do with science. They've tapped into the fact that we can get otherwise bright people, well -educated, not well -educated, it doesn't matter, but they're bright people. And they would normally never do these things, but we can get them to do it.

if we create that sense of urgency. Something bad is going to happen if you don't act now. You articulated in a way that's perfect because that's exactly why it can happen to anyone. why am I kind of saying this all the time? Because it's so important for people not to feel shame and to record. agree. Yeah. And I think that's really important, right? I think that's a good empathetic approach because

Dino Mauro (49:25.226)
what we see with these financial crimes is, like you said, people commit suicide. People think, my God, there's depression that comes from this. In the episode that we watched last night, were talking about, they had like four five different people that had been taken their identities, and they were a mess. They were a hot mess. Like they were just destroyed emotionally.

It's the part that people don't see. People go, it's a few bucks in an account. You know what I mean? We're just taking from the big bank anyway. They'll pay you back. But look at these people's lives were destroyed and it just destroys their dreams, everything else. Really good stuff. Hey, thank you so much. We're kind of running out of time. Absolutely not the last time we're going to speak because we could go definitely down a deeper hole, especially with some of these new regulations.

and as we go into some of the more stories. we'll absolutely have you on again. We really appreciate your time. Anything, what's currently before we leave, what's on your horizon? What's coming up that's exciting for you? a lot. I'm going to launch a new website very soon that will allow people to kind of verify if a message is a scam and report scams to kind of help other people.

Well, that'd be great when you do, please let us know. And if this episode gets released after that's out, we'll have that link in the show notes that everybody can check that out because that's helpful. We usually direct people to like scamadvisor .com or some of those. but having somebody that's practicing this would be great. Yeah. And this looks at the message itself. great. Excellent. So that's part of it. And so that's a first step. And there's more more coming.

That's excellent. So thank you so much. We really appreciate it. Check her out. Connect with her on on LinkedIn. Your links will be in the show notes and we thank you so much for what you do. Right. Like driving things like this. There's a greater purpose. Right. And it's for protection and servicing others. And we really appreciate all that you do. So thank you so much for having me, David. This is great. Thank you.

Dino Mauro (51:49.624)
Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award -winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and we thank you for watching.

Topics covered: Best Practices And Fraud Prevention, understanding fraud pig butchering, Latest Fraud Tactics You Should Know, what to do if online fraud happens, how can we spot fraud in business, how to spot fraud in business, how to protect employees online, how to protect elderly online, best practices identifying fraud, best practices identity protection, how to stop scams against elderly and children online, how to stop online scams against elderly, How to stop social engineering, how to limit liability from data breach,


People on this episode