Bonus: Holiday Scams Unwrapped: Tips to Stay Safe this Season

My kids know nothing about technology. They have phones. They use them. They play video games and all, but they do not know how it works, which means they also don't know about a lot of these scams. So, you're going to give them this gear, and especially if you're going to give them payments, you got to tell your kids about that stuff. It's the holiday season, and scammers are working just as hard as Santa and his elves. So, we're bringing you tips to stay ahead of the cyber crooks trying to empty your wallet. Welcome to the Security Cocktail Hour. I'm Joe Patti. I'm Santa Claus. So let's start with the hot stuff. We've talked about AI a lot on the show and AI scams, but this is when they're going to ramp up. Don't you think? We've talked a lot about the voice and video cloning. which kind of is sort of like the scam you were talking about, but even taking it to the next level of, you know, that's actually what I was thinking of. Were you going to say that there was like a video of the guy sitting next to him supposedly calling him and it looked real? That would be crazy.

Yeah. You know what's funny? I think if I understand correctly, there's a new malware for your phone. When you go to call out to your bank, unbeknownst to you, redirects it to a different phone number. I forgot what malware that was, but like you're calling chase. And meanwhile, it's calling the fake chase. It re-diverts the numbers now. That's terrible. That's really bad. You don't even know you're being scammed and you're being scammed because you're being scammed.

Well, you don't even know it. And you know, you may be doing the things that we always tell people to do, like call the number on the back of the credit card. Don't click a link or anything. But if they've managed to reroute you on your phone, oh, that's nasty.

So like the old Kevin Mitnick trick, you know, unfortunately Kevin Mitnick passed away, but his one of his things was, you know, they send you an email or a text, you call the number on the text. And then when you call it, it's actually really calling Chase, but they do a man in the middle attack. So you're in violation. We found that somebody's using your credit card illegally. Please call this number. So not every number is visible because some numbers are like the The Ford hotline, it might not be the regular chase number or the regular city number, it's the chase, Ford hotline or city hotline, you end up calling it. But what this would do is do a man in the middle attack. As you're calling, they use an asterisk to grab your digits. So you call, they go, you put your account number, you put your PIN number in, whatever you're doing. And it says, you have $1,537.63. And you're like, yeah, I really do. Thank God nothing happened. You hang up. Now they got your digits, they call back Chase themself, and now they're in your account.

Well, that's that. Okay, you gotta explain what asterisk is. We don't mean the little thing on the phone dial. Go ahead, you explain it, you're better than me. Okay, asterisk is, I don't know if they still call it a PBX. Open source PBX. Open source PBX, which means it's like. Phone system. A free version of the phone system that you'd have in your office and you can hook it up to the phone network. So, you know, you can have your own office phones or whatever. It's kind of becoming a little less used than in the past, but you can have that. And so these guys have figured out how to set up the call routing. So when you think you're calling Chase, but because of the malware in your phone, your phone instead doesn't call that number. It calls them. And then they connect it from there to the real place you're trying to get to. It's called a man in the middle attack. So you think you're talking to them directly. But you're not. And like Adam said, then these guys can trick you. They can get your credentials and your information and try to go to the bank themselves. That's a really nasty trick.

So simple.

Well, it's simple in concept. It's not simple to execute.

Well, it's not terrible to execute. I mean, I bet you can download a free asterisk appliance already made to do a man in the middle attack if you want to. Yeah, but you gotta get the malware on the phone too. No, no, two different things. So the malware, unbeknownst to people, the malware is embedded in, you're kind of poisoning the well. So you download something that you think is good. Like let's say you go to download ChatGPT, but you download ChatGPTTT, which is somebody else puts it into their store. And you're like, oh cool, this is real ChatGPT, I'm using it. But meanwhile, in the white space or in the space where There's no code. It's executing other instructions to say to your phone, like you allow permissions. For anyone who has an Android phone, I don't know much about iPhone. You say, allow mic, allow access to my keypad, allow access to my speaker, allow access to my contacts. Well, when you allow all this access, now this malware can do whatever it wants with it. It can listen to you. It can know the GPS if you allow that and everything else. So you got to be very careful of the permissions. But I guess where I'm really getting at is you got to be careful what you add to your phone, because just because it's something that actually works, it doesn't mean that there's nothing nefarious within it as well.

Yeah, that's very true. And you know, iPhone does very similar things when you get an app that wants to use the game. And, you know, we'll give you the same advice we've given people for years on stuff. Don't just say yes. If it seems like this thing has nothing to do with that, don't do it. Or even if it is something like you think it's chat GPT, it has this really cool voice thing. You know, well, if you're not planning on using it, just don't give it access. You can always change it later.

Well, I'm laughing because I remember back in the day before there was a real flashlight function built into the phones, you had to download a flashlight app. to turn on the flashlight, do you remember that? On your phone? The point I'm making is that when you downloaded the flashlight app back in the days when it first came out, can the flashlight app have access to your GPS? Can the flashlight app have access to your microphone? Can the flashlight app have access to your... Wait, wait. Why does my flashlight app need access to my contacts? So think about it logically. If you're downloading something and it's a recipe program, And it's saying, I want access to your microphone. Think about it logically.

Yeah, that's right. But you need to be vigilant too, because sometimes you will be downloading something and using it where, you know, maybe it's a, it's a photo app. And so it needs to get access to your, to your camera. It's like, well, then that's a little trickier. So be careful what you download. Keep an eye on stuff. So what else do we have?

Yeah. Well, obviously a lot of people are traveling these days and when you're traveling, You tend to use a lot more tolls. There's a big thing with E-ZPass. People are texting you saying you're in violation and you need to fix these tolls really quickly. So be careful. Go into your E-ZPass app. Don't click on a link. Most of the time, most people are not gonna text you with you have an issue. If you haven't gotten an E-ZPass violation text before, you're probably never going to get one in your life unless they enhance it. So be very careful.

If you've been on vacation in Europe and E-ZPass tells you, you just got a toll violation. Either someone's stolen your car or it's a scam. But there's another thing you can do too, because one of the reasons they do stuff like that is they probably don't know you have E-ZPass, but they figure like in New York, New Jersey, probably on the East Coast, virtually everyone does. Yeah. Pray and spray. They're just hitting everyone. And at the holidays, those get particularly effective because with the package delivery stuff, because everyone's getting packages from Amazon or many other places. And so that's it. They just send it to everyone. And you know, you got to make sure you got to really look at it and say, is this what I really ordered? Go to the Amazon website and please tell your friends and your family the same thing, especially if, you know, someone like an, like an older person says, Oh, I got this thing from Amazon. Even they ask me, is this real? You know, something about security or it, whatever, tell them, stop, say, look, look, look into it. Don't accept all that, all that stuff. Because, because people just will do it very naturally. And, you know, unfortunately a lot of people. Even if they haven't seen something like that before, they'll say, oh, this great new service, this is wonderful technology, and go for it. They're not even thinking about whether it's real or not. So try to help people. We try to be helpful, right, Adam?

And encourage others to do the same thing. So let's talk about sexploitation. I have a funny feeling that the people that send out the sexploitation emails, and I'll explain what that is in a minute, they need some money to pay for some of their family's gifts. So you're going to see probably a rise of those again. Sexploitation for those people who don't know it is they send you an email saying, hey, if you know this, this email, most likely this is how it's structured. It's coming from your own account. I've hacked your account and I have access to your camera and your microphone. You've been very naughty lately. You've been doing things you shouldn't have been. Unless you want your family and your friends to see the pictures of you taking care of yourself, you better send Bitcoin to this address. You have 24 hours to do it, or naughty naughty, I'm sending your emails to all your family.

Yeah, and it's fake. You know, we don't like to say always with stuff, but with these things, you know, 99.999 times, it's fake. And I'll give you a little tip with that. I mean, people ask me all the time and I used to joke around and say, well, what have you been looking at? You got anything to worry about? People don't react to that well. And it's probably not very helpful being a wise guy like that. I think it is much better. A lot of people probably do do it. Well, that's it. A lot of people do that. That's why it works. So even if people are doing something naughty, the odds of it being real are minute.

So what I do is I cover all my laptop, my laptop cameras with a slide. It used to be that you had the sticker. I don't like the stickers, but I put it on top and unless I'm using the camera, I cover it up. You know, that gives you a little bit more not perfect confidence that if somebody should compromise your computer for some strange reason. And keep in mind, people that are compromising you, it's either spray and pray or you're being targeted. And if targeting is another whole world, we're not going to even go into that, but spring and pray you have to basically run an execution or executable program and you have to give a permission and you have to run it i'm not saying it's impossible certainly possible to do but you know cover your cameras you never know though i i'm hearing now this i think they call them good loaders um good loaders now is uh you go to the wrong website by mistake i think you're talking about australian cats or something people are typing looking for australian something something something and they're going to this like website, and this bootloader is able to actually run and take passwords off your machine now. I saw that yesterday. So be careful the websites you go to also. It's a bootloader, I think.

Does that have anything to do with covering your camera or did you just move on?

I moved on. You know how I am. I'm a stream of consciousness, you know? Yeah, yeah. It's kind of like a lateral movement from one malware to another malware. I apologize. This is just who I am sometimes.

There you go. That's right. It's like a lateral movement of hackers, or what we use to call the unscathed brain.

Well, it's most likely the second over the first. I just have so much knowledge he wants to share. So much empty knowledge, but what I'm getting at is just be careful. Be careful. Go to the trusted websites. And this is why we talk about, what did we talk about? We talk about having zero trust. You know, like, if we block everything and only allow what's right, people won't be doing this. But you're not going to have zero trust on your own machines. Too much to manage. Well, look, zero trust.

We've talked about it a little bit before. It is kind of a technique or an approach. People differ on what it means, but it basically means you don't inherently trust something. Just because something shows up on the network, whether when it's a person and they're coming from somewhere that seems like they're using a particular machine, you don't immediately assume they are who they say they are. And you know what? That's a very good thing. to do in your life and encourage other people. Now, we're not saying don't trust anyone. You have to trust people, but make sure that the person you're trusting or the entity you're trusting is who you think it is.

That's what it's about. And it's the same thing with websites. We all only probably go to maybe a hundred, I'm making this up, but a hundred websites, a hundred things in our life. We don't really go more than that. So if you're trusting only those hundred things and need to block everything else, You know, you're not blocking, you're allowing only a hundred websites and everything else is basically blocked because you're not allowing it. Then you won't get in trouble, but too much work.

Yeah. But that's, that's hard. And, and you know what, it's a hundred percent hard. And you know, what's funny too, is, you know, when somebody, when it, even when you're doing stuff like that, you've got the camera permissions off, the mic permissions off when it pops up and it says, Oh, do you want to do this? People say yes, a lot without checking. So we try to encourage people to don't just click it, check first, you know, make sure it really is who you think it is to the best of your ability. So let's talk about gift cards now. Yes. The gift card scam is always a classic and a popular one. So I'm going to role play here.

Let's pick somebody. Hey, Jason, do me a favor. This is Adam. I know you're involved in the whole recruitment business to help us get more followers. We're looking to give out five gift cards at $50 each. I need you to go to CVS. I'll pay you when I see you. Go to CVS, pick up five gift cards for $50 each, scratch them off, take pictures of it, so I can send it out to the people that won the contest.

That's right. And then I can be the recipient of it and say, Hmm, this guy wants a bunch of money and he's a friend of mine. And you know what? I snubbed him and didn't invite him to the holiday party. So I'm feeling guilty. I'm going to send them the gift cards. You had a holiday party? Oops, just kidding. But seriously, what they will prey on is things like friendship, but we've talked about it before. Also, they will also prey on, you know, fear, like if it's your child or a parent or something, and that's something you really got to talk with your whole family about now is the scam thing that, you know, We talked with Jen Gold, too, about having a code word to make sure it's really them. That applies to the gift card scam and a lot of other things. One of the twists on the holiday gift card scam is always going, but during the holidays, people send more gift cards. So you may see more stuff. And also, there's the gift card charity scam that I heard about when someone says, oh, buy a gift card for charity. The charity, this is what they want or do this. This is how we want you to donate to us. I'm not aware. I'm not an expert, but I'm not aware that most charities ask for gift card donations to Amazon or Red Lobster or something or wherever.

How about the one where a woman goes into a store, an older woman, more of a senior. She bought, she was told that her electricity is being turned off. And if she doesn't get, if she doesn't pay for her electricity, which is to say $252, she's going to have electricity turned off. She walks into a store, she goes, I need X amount of dollars in gift cards. And then the people behind the counter say, don't do this. It's a scam. No, no, no. I don't want to lose my electricity. The store owner sells the gift cards to the person. calls the police, the police show up, one police officer shows up, says to the woman, give me that phone. He goes like, this is Sergeant blah, blah, blah. Who are you? Oh no, she has electricity to be turned off. He ends up saving her from giving the gift cards to the person. But if somebody's asking you to pay for something in a form of gift cards, it's probably not good.

Yeah. And, you know, the thing that's really tough about the gift card thing and a lot of other scams is that they do prey on fear, you know, like we're going to turn off your electricity or, you know, in a job, it's your boss and you're worried you're going to get fired if you don't send them this stuff to help them out. And, you know, during the holiday though, holidays though, you know, it's especially tough, you know, on the, on the elderly people who, you know, they're going to prey on your, all of your family, maybe a very insecure, the economic times. are a little tough and it's really hard to protect against that. probably one of the few ways is to just talk to them about it and just say, hey, you know, be on the lookout for this. Be careful. Yeah. Proactively before. So even if they start to fall for it, at least it's in their head. And then maybe if they do go to the store, when the clerk says, you know, this is probably a scam, they're going to say, maybe I heard this before from someone I trust. And this is, and this is real. You know, it's, it's really a nasty thing.

to try to do what we can. So my wife gets a WhatsApp message, classic scam. Her cousin's husband says, I need you to send money to my son in another country. I'm unable to send the money from this country because they don't allow us. Classic scam. I said to my wife, ask that person to come on WhatsApp, turn the camera on. And we all know there's also deepfakes, but we can kind of vet that out.

They're not so prevalent, especially for something spontaneous like that. Right now, it has to be well-planned for them to use that kind of stuff.

So my wife has her cousin's husband get on WhatsApp. I think it's like four in the morning where they are. And he gets on and goes, yeah, it's really me. I really need you to send the money. Western Union does not allow us to send money from this country to this country. It was legitimate. So it wasn't a scam, it was real. But it seemed like so much it was a scam. But the point here, the moral of the story is, just vet the person. It takes only a couple of minutes sometimes, not all the time. Go on WhatsApp, go on camera, call the person with the number you know. If it's originating from the number you know, just because it originates from the number you know doesn't mean it's not a scam. That means somebody could have taken over that account. But have them go on WhatsApp, have them go on video. have them answer a question like, where did we go in the summer of 2000, or where did we go in the summer of 1968? That's when I was about 50 years old. But if you can ask a question and get an answer that you think only that person knows, then you've vetted the person.

And also see if it makes sense. I mean, that's a really good thing there because, you know, if I got that, you know, 99% of my family is in New Jersey, we're so, you know, we're so worldly. It's like, you know, if my cousin calls me or something and says, I'm in some country that they don't accept Western Union from, I could be really suspicious of that. Like, what the hell are you doing there?

But like, and that's the other scam, right? Yeah, but it's real for you, but it wouldn't be real for me. No, I know. But like, here's the other scam, right? All these scams come up during the holidays, even though they're not holiday scams. You know, Joe Jr. got into a car accident and he's being held by the police. and he needs $500 for bail. Go buy 10 gift cards at $50 and send it to this location.

We're going to take a quick second to ask you for a favor. We hope you're enjoying these honest discussions among security pros. If you are, please help us out with a comment to tell us how we're doing and also tell your friends and colleagues about the show. Oh yeah, and like, subscribe, follow. Thanks. I'll tell you what I like. I do like the, and I think we've talked about this before. Maybe I did a short on it, but I like the tap to pay stuff. I love using my phone and not having to take out my wallet, and it is really secure, more so than the old slide things, the skimmer doesn't work. And I think even if you tap, whatever, if the card's got the chip, which I think most do now, it's really helpful. It has some cryptography and stuff. But I love the phone. I especially love the phone. Well, it's not a holiday thing, but I especially love the phone now on the subway. And I think every agency has it now where you know, you probably got your phone if you're looking at it anyway, where you just The thing you don't have to take out your wallet or get your phone or anything like that.

Somebody said yeah tap to pay so we can steal your information. Okay Look, you can steal your information so many ways Yeah, you can you can scam and take people's information so many ways you have to do what's comfortable for you I also realized if you have tap to pay and your phone is is stolen from you by force and your phone is unlocked, they can do whatever they want to do. I get it. I've heard all the counter arguments to why they do this and why not to do this. Look, all you have to do is do the best you can to have situational awareness. Keep your phone locked when you can. Force it to lock almost within a minute or two. If somebody steals your phone, you're still alive, hopefully, right? So you gotta weigh the good and the bad.

Well, you know, it's all about risk and making decisions, but you know, but the thing is now these, a lot of the newer methods of things, like, you know, like the tap to pay, like the phones and everything, it really is just as easy or easier than the traditional methods. And, you know, I encourage people to use it. I use it myself. And, you know, I try to encourage my family too. It's like, I know you got to set it up and I know it may seem a little daunting and real, but once you get it set up, It's so easy, you know, it really is, really is easier.

And, you know, tap to pay is also good. And I know, I know this is going to be an argument too. And someone's going to ask me for the 30 seconds of their life back, but, um, you can use tap to pay for your kids. If your kid, the kids carry their phone all the time, God forbid, they need money for food. Assuming that you can afford it, right? You give your kids access tap to pay. You can watch what they're buying. And you can also see, you know, and if they need something, a sense of urgency, they can do it. Hopefully they'll, they'll, they'll practice good health and hygiene with the phone. And hopefully they won't do anything nefarious because most kids really won't. If you teach them right as they train them, train them as horrible, teach them right. Tap the base good.

There is a certain amount of like, you know, You need to teach your kids, but you also need to train them. If you give them something, you should be training them to use it correctly. I mean, you know, we, we talk a lot about, you know, we often focus on, we say about the family, watch half of the elderly, but your kids too, you know, these kids, they're tech savvy and that they're, you know, digital natives or whatever they thought, you know, they're used to these phones. They're used to all these things working. But one of the things that surprised me is that, you know, when, when Adam and I were, were kids, If you had all these gadgets and everything, you're usually pretty tech savvy and you knew how they worked and you knew something about them. I know my kids know nothing about. technology. They have phones. They use them. They do all this stuff. They play video games and all, but they do not know how it works, which means they also don't know about a lot of these scams. So, you know, if you're going to give them this gear, and especially if you're going to give them payments, I mean, I just had to sign my daughter up for something. And I said, look, you need to be careful with this. You don't just give it to anyone. You only give it to reputable places. You know, you call me if you're not sure. You got to tell your kids about that stuff too.

Well, I'll tell you an example, right? About two, three years ago, my wife went to go buy flowers for somebody and they did it by mistake because they recognized it. Instead of typing $55.51, I typed $555.51. They realized it, they canceled it, but it takes 24 hours sometimes for it to come off too. And that's the other thing. I personally recommend do not use debit cards most of the time. Use your credit cards and then pay your credit card as soon as you can within 24 hours because this way you have one you have insurance over god forbid that the payment that you made is wrong or that the or the product that you got a service is wrong and you can um and you can you know dispute it. I also realized counter to that people like using debit cards sometimes in cash because debit in cash, a lot of times people will not charge you extra fees. Let's leave it at that. Um, but you know, you got to pick what you got to, you got to pick your poison. Do you want to not incur the extra fees for using your debit card? Cause some people won't charge you for the debit or, or cash, or do you want to protect yourself and use the credit card? If you use a debit card and somebody puts the wrong amount in, That money comes out of your account and then you got to fight it. So if you're paying mortgage, if by mistake it was supposed to charge you 500 and they charge you 50,000 and somehow or another that went through, which I don't have 50,000 in my account, by the way. You know, you lost that money until you get it back. You have to dispute it. So you're going to have to bounce a lot of things for a while.

Yeah. I mean, I've never been a fan of debit cards and I, I am one of those people who doesn't like to pay credit card fees, but I do use the debit functionality with these things, but very, very sparingly and only with places that I really know and that are really, um, you know, trustworthy, you know, so be very careful when using it, please.

And I'm not looking to get into Europe versus America. A lot of places in Europe, they'll bring the credit card machine to you. They swipe it right in front of you and you pay it right there. In America, they take your card to the back room or to the register. They have possession of your card. I've also been in places even recently where my card disappeared by mistake because they dropped it. And then they had to go look for it and find it. So like, oh, they put it into the folding thing where you had the receipt and you sign it. I'm like, where's my card? Oh, it was there. No, it's not there.

I think I used my card in bars for some reason. It seems to be a problem there.

That happened to you, if I recall, remember. But the point I'm making is if your debit card disappears, then your money disappears. If your credit card disappears, yeah, it's a little different now. The money's got taken out of the account. It's being added to your amount of credit you owe. And they both suck, but I'd rather have the cash still in my account and dispute the credit charged in my account.

The other thing, too, though, is believe it or not, I know a couple of years ago, when I first posted over to Europe, I was stunned and pleased to see how much they were using the little machine that comes to you. We're seeing that more and more here in the U.S., though. Even small shops, I guess they're starting to do that, and restaurants and things. I think that's getting better, and I would encourage you to have a chance have a choice. The place either uses it or they don't, but that's a good thing.

Well, I went to a farmer's market in Ithaca, New York. My kid goes to school in Ithaca. And a farmer's market, keep in mind, there's nothing there. There's really no electricity. There's really no anything, no internet, no infrastructure. So what a lot of people are doing these days is they use their phone and they use the square or other types of devices to ring up your stuff right there and then. So There's an advantage to doing that, but the problem for restaurants is it's not really per se networked with their point of sale. However, your phone is your whole entire cash register right there. So these days, a lot of independent people, when they're doing services, they go right to their phone, right to the square, tap to go, and boom, you're paying the person there.

Adam, I hate to tell you, but that's really not new. You know, people with cell phones and a little shopping. No, I know that.

I've had a square for years, but it's it's more prevalent now than it was before, because I'm seeing it more and more now that people are originally people like, oh, let me send you an invoice. But now people are literally like, I've seen it. I haven't seen it as much in the past as I see it now. People are literally doing this more and more now because all these apps are out there.

Let's do another thing to watch out for over the holidays with your family. That's not a scam. It's kind of a funny story. Subscriptions. Very often you sign up for a subscription at the holidays and you think it's nice. It's always auto-renew. They don't have someone come and knock on your door at renewal time and say, hey, do you really want to renew it? They make it as subtle as possible and can use what's called dark patterns. And that's when it's like really hard to unsubscribe or you got to like call them or do something ridiculous to go. You got to watch out for that. But also watch out for buying things for your, for your family. I'm going to tell you something funny happened with my dad a couple of years ago and Spotify came out, you know, got it, loved it. And we're not, not plugging Spotify because we're on Spotify, we're on everything else too. I get the Spotify thing, and then I realize, oh my God, it has virtually everything. And I'm like, oh, my daddy likes all this old stuff, like Big Band and all these things. So I said, he'd probably like Spotify. So I get him a Spotify account, you know, not realizing at the time, very intelligently, I'm just going to be paying for it for the rest of my life. Because it ends up, he loves it. He says all the time, this is the best Christmas gift I ever got. And it's the gift that keeps on giving. It's a bill that keeps on billing. But it's for my dad Well, that's stuff and he should tell you dad guess we guess what I got you for Christmas a Spotify subscription again, actually, you know what I should remind him every year like put a little card or something like it I'll get some get some points for that. Yeah, that'd be funny All right. Well Adam, I think we're kind of getting to last call or at least I My official security cocktail hour coffee mug is empty. Final thoughts?

Yes, just be careful. Maintain situational awareness. Don't let people get near you because, you know, people will try to pickpocket you and take your cards and take your access. And that's really it. Have a safe and joyful holidays.

Be careful. Enjoy the holidays. Enjoy it with your family and try to encourage your family to do the same.

All right, Adam, this is always fun. Yeah, hold on a second. Let me go close my window. It's really cold out. That's right. I'm going to go out and shovel some snow.

Yeah, there we go. Me too. All right. Take it easy, everyone. Bye-bye, holidays.