[00:23] Victims of Hacker’s Day Job

Rachael: We’re excited to bring you part two of our conversation with Consumer Affairs Advocate, Adam Levin. So without further ado, let's get to the point.

Adam: Alex had no idea and he looked up from his cash register. Suddenly there were a hundred women standing in front of him giggling and wanting him to check them out at his cash register. His phone was dead, so he had no idea what was going on. He gets back to his mother's car, plugs his phone and he finds out he's got tens of thousands of Twitter followers.

That was the good news. The bad news is that the family started getting death threats. They got information about the family on the dark web and ultimately they became victims of identity theft. The simplest, most innocent thing in the world, which is just standing there, could end up putting you in harm's way because of the way the world is today.

Victims of Hacker’s Day Job: Hated Neighbor

Adam: One of the stories that I'm aware of that occurred many years ago is about a fellow who hated his neighbor. When the neighbor was on vacation, he went over and sat on the front porch of the neighbor's house in the back or the back porch and obviously no one was looking.

He hacked in to his neighbor's computer and then he had that computer or had that neighbor as it were going onto child pornography sites. And then he notified the police. And the neighbor comes home and is greeted by the police department and spends two years clearing his name. S

o it could just be your neighbor doesn't like you and you could also be in harm's way. 

It's just there's so many different ways that we are exposed or have potential exposures.

That's why it's so important to do a lot of the things I talked about in the 3Ms because you need to know as soon as possible you have a problem and you have to have a plan and you have to, especially knowing that our information is out there now and has been out there because there's been just tens of thousands of breaches with millions of files and billions of records, that you just have to adjust to the fact that we are on defense right now and we have to be as offensive as possible in order to better protect ourselves. T

he government hasn't done enough, business hasn't done enough, and frankly neither have we as consumers done enough.

[03:20] It Is a Shared Responsibility

Adan: A couple of years ago, the Microsoft CEO made a statement about the concept of shared responsibility, that we all have a responsibility. Especially when you think about so many people working remotely now, having all their devices exposed to other family members. I have a 10-year-old, God love them, and friends of mine who have kids.

Keep in mind that children can become weapons of mass destruction within a family on your computer systems. That's why set up a separate network for your kids and your Internet of Things devices. Anything that's really important to you and sensitive, make sure it's on a special network. And with a very creative, long, and strong passwords.

Your kid can make a mistake, it can come back on you. You may not know it. It may involve a device that you use in order to get into the network of where you work. If where you work happens to be part of the supply chain or anything involving critical infrastructure, you could be talking about a national security incident. It's the old pebble in a lake with the ripple effect.

It's one of those things where we are in this together. We have to collaborate, communicate, and cooperate. Businesses, consumers, media, government, all of us because this is something where it knows no borders. No one is too unimportant, too irrelevant, or too small to garner the interest of a hacker or a scammer. 

You have so many businesses that go, "I'm a tool and die company." You may be that, but who do you do business with? The perfect example is the Target breach. An HVAC subcontractor was compromised. They used the access of that contractor to get into the Target systems, then the rest is history.

Point of No Return

Rachael: Is it too late for us just to unplug, Adam? And just go back to the day of the caveman? Have we passed that point of no return, reset?

Adam: Well, my co-writer and co-host Beau, one of his favorite phrases is, "Unless you're living under a bottle cap at the bottom of Loon Lake, the world is as it is." Once after I gave a speech, someone said, "Okay, so I'm going home, I'm unplugging everything. I'm pulling down my shades. I'm going to hide under the mattress and burn my fingerprints off." I said, "You can't do that."

What's so interesting is you could be living off the grid, but if someone you know or someone you're related to happens to drop your picture online, suddenly you're not off the grid anymore. And then people want to know more and more. There's a great deal of curiosity out there.

Just people love to know everything they can possibly know about anyone else. And we're also living in a society where people cannot control themselves. There's an unquenchable thirst to put every morsel of information about ourselves online, sharing everything online.

I say to people, "Look, if you're going away on a vacation, share the memory not the real-time event, because if you share the real-time event, people know where you are, which means defacto they know where you're not."
Adam:

There's a website lurking, it even may still exist called Please Rob Me, where they took examples, the most egregious examples of people oversharing information and giving the bad guys enough that they broke into their house.

Do Not Do Anything by Impulse

Adam: Another way to keep track of where you are, there's a website, Have I Been PWNED. There you can put in your email address. It'll give you flat-out an inventory of all of the different breaches that occurred where your email was exposed. Oftentimes your email obviously comes with a password. So that's a problem. You can also enter your cell phone number.

They will tell you all the times your cell phone number has appeared in a breach.

For years, everyone, myself included, would say, "Just remember your social security number is the skeleton key to your life." Actually your cell number is. Nobody ever changes their cell phone number. They're all portable. We put it everywhere. It's like we’re flinging rose petals into the wind. Those rose petals happen to be either our email address, or even more ubiquitous, our cell phone numbers.

Once obtained, they have the ability to figure out a way to get the second part of your two-factor authentication. Your email gives them half of the first part of your login information. So we're out there. So that's why it's extremely important to be cautious.

Don’t do anything by impulse, whether during the holiday season it's an order scam, a fake delivery scam, or a non-delivery scam, which is you order stuff and it never shows up.

Deal's too good to be true, tech scams, bank scams, gift card scams, fake app scams, charity scams. Remember, this is the time of the year where people feel the need to be charitable. Especially for those who want to take deductions on their tax returns.

It's like, "Oh wow, yeah, I need to cover some more income here." So they do it. Hackers know this. They're out there.

A Helpful Strategy for Multiple Accounts

Adam: Whether it's health-related, job-related, especially now with layoffs going on and people, look, the great resignation, people are looking for new jobs, just be careful about the websites you go and the information you provide unless you really have a good idea, I mean a really good idea of who you're talking to, if there even is a job, and if you're the right fit for the job.

Petko: Adam, when you're going through this list, I can't help but think about what I’m doing in my life to minimize, monitor, and manage. I don't have one email address, I have multiple. I actually create a separate one just for all the accounts I have to manage. And then Google has the ability where you can do a plus something. I'll have a separate email account that says plus Netflix.

So I know only Netflix should be charging, getting emails from that.

The advantage is if there's ever a breach or that email gets shared with someone else, I could say, "Wait, I know Netflix has this email address. How come I'm getting emails from services? I'm going to change the Netflix password," and I'll just know to do that for example. That helps to minimize and monitor all in the same account. But my generic account that I email people with is not the one I use for my service accounts.

For my services and IoTs. And it's that way, I should only getting non-spam in my personal. It's helped reduce a lot of things, I've noticed.

Adam: You're absolutely right. Another thing is get a Google phone number because then it will feed into your real phone number, but other people won't know that it's your real phone number.

Take Care of Your Portfolio

Adam: Now unfortunately, most of us over the years have given our real phone numbers anyway, but it never hurts. Certainly the bad guys are getting Google phone numbers like crazy. It's like when people get an authentication code and it's supposedly from a retailer trying to make sure that you're you. It could be the authentication code to get a Google phone number with your information.

That's why if you ever get anything that looks like an authentication number or code and you had nothing to do with it, it just showed up, and then if you get a call from someone, hang up.

And I call this the, it's the three portfolio theory. If you were to say the word portfolio to most people, the Pavlovian response is investments. 

What people don't think about is we have a number of portfolios, two of which are our credit and our identity. Where you would hope that a professional is managing your investments, you have to be the professional manager of your identity and credit.

You have to build them, nurture them, manage them, and protect them. If something goes wrong with one of those two portfolios, it can significantly impact the others and your investments and the availability you have to getting the cash you need either to do what you want or to protect you when things turn sour.

[12:49] Cybersecurity and Privacy Are Intertwined

Petko: Adam, I like that a lot. The podcast is really about cybersecurity. You're reminding us that personal cybersecurity and privacy are intertwined and we tend to always focus on cybersecurity, yet we keep forgetting about privacy.

Then there's focus about some privacy but don't do cybersecurity, but they're really intertwined, 'cause ultimately it's about protecting, as you pointed out, our identity, our credits, regardless of where we put it out there.

At the same time having the right hygiene to protect and minimize and everything else, 'cause we're really putting a lot of trust in these companies when we're giving data out to them. So never trust, always question, as you pointed out, is a good post.

Just like you mentioned earlier about sharing to when you go on vacation, share the memories, but don't share them in real-time. When we're sharing things on Facebook or Pinterest and others, are we kind of effectively giving up our data to them? I mean we're stating at that point like privacy or security's not important to us is how it feels like.

Adam: You’re giving up your data and you're giving it up in the cause of either communicating with thousands of people that you think you know that may not know. Also, the whole concept of keeping your friendships alive from the past. But this is again the rub between convenience and security.

Understanding Technology and Security

Adam: I read something recently I thought was brilliant. They said the privacy is the “Why.” The security is the “What.” That's so important.

We had talked about this actually before we went live, but Bruce Schneier who's considered a lion in the cybersecurity industry, has said that if you think throwing money at technology is the solution to your security issues, then you don't understand the technology and you don't understand security. 

Because at the end of the day, the real protection is people. We have to protect ourselves and we have to get smarter. Because the smarter we are and the more protected and protective we are, the more that the institutions that we are part of will be better protected.

Rachael: That's a good point. The whole Powerball thing, it was up to a million I think a week ago, Adam. Or 2 billion. Of course in my mind I'm thinking about what I'm going to do with all that money when I win. I kept coming back to my grandmother, she literally put hundreds of thousands of dollars in the walls of her house, Adam, because she didn't trust financial institutions and banks.

I keep coming back to that. Crypto firms are failing and banks are getting breached. 

It’s Not Coming Back

Rachael: How do you know it is safe? I mean, I guess that's the other piece. How do you trust that those you're working with, even though they may have a great track record, are going to stay that way?

Adam: One of the things you can do is set up protocols between yourself and the institutions that you will never transfer anything anywhere unless you have a conversation with someone at that institution who you know and knows you, or at least knows enough about you.

I have one bank where I will send them an email and then they immediately call me and they say, "Okay, now you just sent us an email, right?" I go, "Yes I did." And they said, "Well, when you sent the email and asked us to do a wire transfer, did you confirm with a live human being where you're transferring it to make absolutely sure that it's going to the right place?

Because once we transfer it at your behest, then you have authorized it. Don't be looking for it to come back."

Even the CFPB has taken a much more aggressive position with let's say the peer-to-peer like Zelle and Venmo and things like that. And you still have a lot of banks that go, "Once you press the send button, it's not coming back. So you better make darn sure that you know who you're dealing with."

Victims of Hacker’s Day Job: The CEO

Adam: Just as an example of how you think you know who you're dealing with. There was a story about a year ago where the CEO of a portfolio company received a phone call from the CEO of the parent company saying, "We have a cooperative advertising program and this is very exciting."

He laid it out for him and he said, "We need you to wire $200,000 to this particular account, which is part of the co-op account." And the fellow hung up the phone and he did the wire. 

He ran into the real CEO about a week later and said, "By the way, I took care of the money for the cooperative account." The response was, "What cooperative account?" But this was a deep fake audio. He said, "I knew I was talking to the real person." And the answer is, "Yeah, but you weren't." So the money is gone and he's gone.

There were instances that some of the big, big folks like Google, Facebook, they wired, I think between them a hundred million to companies that were not the right companies. However, because they were Google and Facebook, their money came back from the banks. Unless you are a super high-profile person, you could be in trouble.

[18:30] We Fall for Things

Adam: Just like so many people talk about the fact that they have lost their Instagram accounts. They took a long time to build, they use them for business because someone just flat out stole the account and either made it go away. There's a ring operating out of Turkey that actually specializes in doing this, and Instagram is not really that motivated to help you. It's like it's not their problem.

And interestingly enough, most people I know who lost their accounts lost it because they didn't use two-factor authentication.

We have a responsibility to ourselves to make sure that we're doing absolutely everything we can. Or you got to own a big company that will come to your rescue if you have a problem because you messed up. Anything in between is not going to work.

Rachael: Now you talk about a lot of this on your podcast too, right? I love to get a shout-out for What the Hack. And the fantastic episode that dropped this week with Al Franken. I think everyone needs to go and watch it. We'll link to it in our show notes.

I can only imagine just all the stories you've come across probably as part of your podcast, as well as your work you've been doing for the last 40-plus years.

Adam: Oh no. The stories are pretty amazing. And it's like when I was at a consumer affairs in New Jersey. We'd get a case, my first reaction is, "How could you do that?" The answer is because we're people and we fall for things.

Victims of Hacker’s Day Job: The Comedian

Adam: One hysterical episode is on podcast 39 with Dan Ahdoot, a comedian. He's driving and gets a phone call from friends saying, "Dan, something really weird is going on with your websites." Dan has a podcast, Green Eggs and Dan, where he talks about cooking. He said, "What are you talking about?" they said, "Well, it's weird. Things are appearing in music."

He hangs up the phone. It rings, he thinks it's another friend. He picks it up and hears his voice. "Hi, I'm your hacker." He goes, "What?" He then says, "Yes, I'm the person who hacked you." He said, "Okay. How old are you?" He said, "I'm not going to tell you, but I'm somewhere between 12 and 14." He said, "Okay, you're telling me that a 13-year-old has hacked my accounts."

The response was, "Yeah, it wasn't really that hard." He goes, "Okay. What's it going to cost to get it back?" The guy said, "Well, a hundred dollars." He said, "That's all I'm worth, a hundred dollars? Come on."

The hacker looks through stuff in Dan's accounts, he goes, "I've noticed that you have Falafel Phil," A Disney character in a Disney series. He goes, "Why is that?" Dan said, "Cause I’m Falafel Phil." The hacker replied, "Oh my gosh. When I was a kid." He said, "You're still a kid." He said, "Well, when I was a kid, I really had a tough upbringing and was really depressed, it was rough.

The one thing that got me through was Falafel Phil. I can't thank you enough. You saved my life." So Dan said, "Does that mean I don't have to pay you," to which the response was, "No, but I'll become your head of security." That's one example of the crazy stories we hear.

Victims of Hacker’s Day Job: The Troll

Adam: Our first story had to do with a friend of ours. He was trolling QAnon sites and they caught onto him. First he got an image of an evil clown, then someone contacted him and said, "We know who you are. We know where you live. Here's a picture that's never been posted." His heart sank. It was a totally appropriate family picture, but it was one that nobody had ever posted.

So they got into his computer and it was kind of stay out of our lane or else. We had that one.

We had a guy who was a journalist. He was being hacked when he went into Afghanistan and Iraq, a pretty scary time for him. We've had people who fell for sextortion scams. It’s where you get a communication from someone, it has your password in the subject line. It could be a password you haven't used in 10 years, which is true in most cases.

They basically say, "We know what you do, we know where you go, and bad luck for you. One of the places you went, we had already hacked into. We actually have a video of what you were looking at on a split screen of how you were showing your appreciation for the video you were looking at.

Because we're now in your computer, we know who your contacts are, we know who your family is.

And now you can pay us $14,000 and we'll go away. If you don't believe us, well, we'll send this particular combined video to five family members. And they'll confirm the fact that we're not kidding. If you just tell us to drop dead, we'll just simply send it to everybody in your contact list." And people panic.

Victims of Hacker’s Day Job: The Lover

Adam: I was on a show once in Oregon. The station manager walked in as we're talking about it, and she went, "I've had 10 of those." And I said, "Well, I've had about 40 of them that got caught in my spam filter." So again, they cast a wide net hoping that someone will fall for it. If they just get a small percentage of the people who they go out to, they make some pretty good money.

So these scams, charity scams, catfishing scams. There was a story that was out, I guess a couple of years ago, and we've had instances of this that we've talked about in the show where a woman believed that she was communicating with the future love of her life. She was older and managed to send this person over time 2 million.

And it came out of her brokerage accounts. And the only way that this thing slowed down was that the financial advisor finally said, "There's something weird going on and you won't acknowledge it." So he called her family members. They stepped in. They had an investigation.

It turned out it was a scammer. And when she sort of reached the realization that she'd been taken, her comment was, "I know that I've been the victim of a scam, but in my heart I still love him." This is the way they operate.

[25:35] Heed the Warning

Adam: I was on a TV show a couple of years ago. There were two women, home healthcare nurses, both in their mid-50s. Both have been approached by different scammers that pulled on their heartstrings because they had studied them on social media. Knew they were caregivers, knew they had big hearts. Each ended sending around 60,000 to the scammers.

They talked about it on TV and said, "It's a terrible thing. I can't believe I did this. But they said all the right things."

The warning there is if you meet someone online and within three days, either they want to have your child or they want you to have theirs, they come on really fast, really hard, if you were to close your eyes and listen to their lines, it's like coming out of a grade B movie. They are drama kings and queens.

There's always some reason that they're having a crisis in their lives, why they can't come and visit you unless you send the money.

We had one woman on the show who met somebody, had a profile on LinkedIn as a very accomplished doctor from the East Coast who decided he was going over to the Middle East to set up a clinic. His story was very believable. He had a real profile.

He said to her, "So everything is great, except the equipment that we ordered for the hospital that we're setting up here got caught up in customs and it's going to cost us 30,000 to get it out. Is there any way that you would consider sending me the money," to which she replied, "Are you kidding me?" She was one of the lucky ones. She was one of the more suspicious ones.

That was the end of a perfect romance.

What the Hack?

Adam: One of the things they'll do is to get you involved. If you're younger in a romantic relationship, they will send you a "compromising" picture of themselves and ask you to do the same in return. You do. It's your picture. The picture they sent you was not their picture. And now they basically hit you with extortion. That's it.

Petko: Those are great stories that I think all of us need to listen to on your podcast and others. Thank you so much for joining us here today.

Adam: Oh, listen, it's my pleasure. And again, I appreciate the invitation and this was great. Thank you so much.

Rachael: Thank you. I love all these stories. So to all of our listeners, please go listen to Adam's podcast, What the Hack. You will absolutely love it. And again, listeners, thank you. Thank you so much for joining us this week. We always appreciate you.

And don't forget to subscribe. You can get a fresh episode right to your email inbox every

Tuesday. Isn't that convenient? So until next time, everybody. Be safe.

About Our Guest

Adam K. Levin is a consumer affairs advocate and serial entrepreneur with more than 40 years of experience. He is a nationally recognized expert on cybersecurity, privacy, identity theft, fraud, and personal finance. At age 27, Levin became the youngest Director in the history of the New Jersey Division of Consumer Affairs — one of the most powerful consumer protection agencies in the U.S. He is a graduate of Stanford University and the University of Michigan School of Law.

As Chairman and founder of CyberScout, Levin built a premier global identity, data protection company, and helped pioneer the cyber insurance business. The organization was acquired in March 2021 by Sontiq, which was soon after acquired by Transunion. Levin was also co-founder of Credit.com. It is one of the first credit education, information and products and services companies on the Internet focused on consumer credit building. The company was acquired in 2015 by Progrexion.