Ep. 230: “The Cursor Moved at 2 A.M.”

“What the Hack?” is DeleteMe’s true cybercrime podcast hosted by Beau Friedlander

Beau: A friend of our producer, Andrew Steven, recently installed an electronic lock on their front door, the kind that lights up when you touch it and makes a really satisfying click when it locks. They showed it to Andrew, super proud. Andrew, having worked on the show for a number of years, watched them type in the code, pull on the handle, lock it. It all looked great. Few days later, Andrew was still thinking about it, and apparently so were they. And they came to a realization: the lock was installed right. The deadbolt engaged, but the hole that the bolt slid into, the part inside the doorframe, that wasn’t reinforced at all, and that meant the door wasn’t going to stay locked if someone wanted to get in. In other words, what you couldn’t see was the problem. We talk about digital security on the show, but the same thing holds true, especially in a threatscape aided by deepfake-generating AI and the like. You can’t always believe your eyes. Sometimes, the vulnerability is what you don’t know. It’s who knows what. This works for personal data and for doors: what’s going on in the wall where that door was installed? Because the danger isn’t only what you’re looking at. It’s what you’re not seeing. Could a criminal get in with a hard kick, a saws-all? In digital terms, do you know who has access to your personal information and do you know if they know how to use it? Define access. I’m Beau Freelander and this is What the Hack, the show that asks, in a world where your data is everywhere, how do you stay safe online?

Marc: Give me one second. Yes. And let’s see.

Beau: Well, we don’t know. I mean, we might not even use the video, but it’s nice to have. So I guess the first question is, are you anonymous… I know this is gonna sound crazy, but I’m looking at something behind my computer that’s crooked and the whole time I look at it, it’s gonna make me not think straight. So let me just make it not crooked and then I know it doesn’t look like I care, but I care.

Marc: Don’t worry, don’t worry. I’m also like that.

Beau: One second.

Marc: Okay.

Beau: That is actually what we were talking about is I noticed. Like, isn’t that a big part of what we do? Notice?

Marc: Definitely, because when you don’t pay attention, a lot may be happening, if you are not paying attention for too long and bad things will happen. 

Beau: Okay, so we’re all set now, and today we’re talking to Marc Raphael, CEO of 911 Cyber. He is no stranger to all the danger and he actually came across my radar because he likes the show. So welcome to the show, Marc Raphael.

Marc: Thank you for having me, Beau, and it’s a pleasure. I’ve been following your work and it’s absolutely a pleasure to share with you some thoughts, but most importantly, to listen and to see what’s going on out there.

Beau: I understand that you have an interesting origin story. How did you become interested in cybercrime?

Marc: You know, this is crazy. At the very beginning when I was finishing high school, I had the possibility of studying computer science, but I said, you know what? I want something when I’m not stuck with a computer and I can work with people and processes and systems. And I went for industrial engineering. But the thing is, I ended up in cybersecurity, which is where I was avoiding. Of course, cyber was not a thing at the time, but the idea was not being stuck with a computer. And the truth is, I got dragged in cybersecurity by circumstances. Like first I had the opportunity to work for Microsoft Xbox support, and I was seeing firsthand how hacking was operated at a massive scale. 

Beau: On gaming platforms?

Marc: On gaming platforms where people were stealing accounts and taking over and destroying other people’s lives, because you may not think it’s a big deal, but for a gamer after several years and they lose access to their account, they actually wanted to do anything to get their account back. And sometime it was painful to see that.

Beau: Can you explain to somebody who plays checkers and chess why that would be the case?

Marc: Yeah. ‘Cause you get a track record, you get a reputation, and that’s your passion. That’s what you do. It’s like removing something that is part of your life and lose access entirely.

Beau: And I assume you also have to play all the games and level up everywhere where you were already leveled up. Is that right?

Marc: Yes. That’s painful. That’s absolutely painful. And they actually thought like their life was destroyed. Just because they lost access to that. And the second part, I was also working at IBM as a storage administrator in managing multiple, but that was a backend. I work managing servers and storage devices. And I got to understand identity management was a nightmare. I’m telling you, professionals, cyber professionals or IT professionals working, and that’s their daily life working to get access to all the stuff and making sure everything is secure. They were actually storing passwords in Google spreadsheet or in notes. And the problem was, yeah, there was no tool at that time. And on top of that, this was becoming very complicated to manage. And then from there I said, you know what? Somebody needs to do something about it.

Beau: For years, Marc was trying to fix what he saw as a basic flaw in the internet: the way we prove who we are online still depends on shared secrets, passwords, codes, things that can be copied, stolen, or intercepted. So he tried to build something different: a way to verify identity without ever exchanging a secret at all. He patented the idea, spent years working overseas on it, and even lined up a pilot with a major bank. Then the pandemic hit, travel stopped. The project collapsed. As the world rushed online, security problems exploded. So Marc built something else instead: a free website and daily newsletter, tracking cyber threats in real time. Now, people didn’t just read it, they asked for help.

Marc: Somebody in Kosovo in Europe, they reach out to a website in the U.S. because they couldn’t get help. The lady, she was in a remote relationship with somebody in the Philippine. And they were dating kind of, and then they exchanged naked pictures. The problem was the guy was using the pictures to blackmail the lady. So she was sending money every week, month, and when she couldn’t, she was trying to find help. She went to the police, nobody could help. And then she reached out and we said, okay, let’s try to help. So what we did, we worked with her. We tried to trace back the individual in the Philippines. We reach out to the police over there in the Philippines. We provided the information. They explained the case, we help, and then they managed to get him to stop, and that’s it. The case was solved. We figured that Kosovo didn’t have a diplomatic relationship with the Philippines. So that was a case where there would never be a solution for this lady because the police in her country couldn’t help. Nobody could help. So that’s how 911 Cyber wass born. Basically trying to help solving issues that already exist of people not being able to get help. 

Beau: But nice as Marc may or may not be, he isn’t just a people-pleasing do-gooder. Spiderman was bitten by a radioactive spider. Adam West had PTSD, a ton of dough, and a predisposition for fascism. The Hulk of course got caught in a gamma ray. Marc got hacked.

Marc: I was a big fan of TeamViewer, because mostly I travel a lot and I use TeamViewer to get access to my other computers. And on top of that, sometimes I used it to help family and friends trying to solve whatever IT issues they had.

Beau: Now, if you don’t know what TeamViewer is, it is a remote access tool that- you’ve seen it before. It’s where somebody takes over your computer. So your mouse, you know, your cursor’s moving around and you’re not doing it. And it’s an extremely common vector for hackers to use, especially to empty out people’s accounts ’cause they get passwords that way.

Marc: And yeah, I got hacked with TeamViewer where I left the app running on my computer, on my laptop at that time, and then logged in and probably with remote access enabled. And then one day I woke up, I think at 2:00 AM and then I saw somebody using files on my computer and doing a lot of stuff like extracting data and managing my computer while I wasn’t doing absolutely anything.

Beau: Oh my gosh. It’s like a horror movie.

Marc: Yes, it was.

Beau: And this is in the middle of the night.

Marc: Yes, in the middle of the night. So I quickly understood that it was through TeamViewer because I saw the app running and I saw the activities, and I actually saw somebody logged in. So I managed to, of course, killed it and then tried to shut down the computer and reboot, and then tried to trace him back. But the problem was the damage was already done. So of course since this day I’ve stopped with TeamViewer forever. But the truth is that I recognize that there was a big issue there. And then of course, that’s how I learned to always try to log out when I’m not using whatever type of software. 

Beau: Now, did you lose anything substantial in that attack?

Marc: I believe they were getting started at that time. Maybe some files, but nothing too relevant that could have impacted me personally. But yeah, still I felt like violated. And on top of that, I was working in IT. You don’t want to feel that way. When you are a tech guy and you get hacked, that’s the ultimate shame. So, yeah, I was very frustrated and upset, but still I’ve learned my lesson there.

Beau: Okay, you became interested in cyber because you got got. Common story, and just like those superheroes, everybody, and it seems to me, I only realized this week that a lot of these superheroes, their starting point is trauma of some kind or another. Anyway, so you begin there and then it sounds like you start to see these patterns of crime even where they may not be or where it’s a little more shadowy.

Marc: Yeah, absolutely. Actually, aarlier this year I wrote an article on LinkedIn about the data brokers. And my main question was, isn’t it the exact same thing as the cybercriminals just the way they are like moving your data around? Of course it’s official, they get licenses, some of them, they get licenses in different states. But yeah, that’s basically your data. You can start from one small startup that you’re using your demo for, you know, you want to try this specific product and it end up giving information about you, or whatever.

Beau: Now the data brokers are not breaking the law. We should be clear about that. But I had the same thought when I first saw my information on a people search site. I thought, how can that be legal? The reason is that the internet grew a lot faster than regulation could follow it. All right, this is going to be a little weird, but it reminds me of kratom, which is an herbal supplement that somehow became a gas-station staple. It’s a plant-based drug sold openly in vape stores and convenience stores and head shops I guess, right next to the energy drinks because it’s legal and over the counter. And because of that, people think it’s fine. But it isn’t. It’s genuinely destructive, and I’ve heard of people getting addicted to it and having real problems and actually transitioning from it to harder drugs, so that this stuff is legal makes me want to ask the powers that be a pointed question: What are you high on? That’s the space the data brokers and people search occupy in my mind in terms of cyber. They provide the legal high of the surveillance economy, stuff that probably should be illegal and might be in a shadowy space, and anyway, it’s permitted, normalized, sold in plain sight—capable of real-world harm. Stalking, doxxing, serious things that we collectively ignore, even as the consequences pile up, simply because regulation hasn’t caught up to the speed or scale of the predation on our digital lives.

Marc: And the lack of regulations, the lack of oversight is mostly the main reason why, even though I do understand that they got like at least some semblance of legality there, I do understand that this should not be the way, and we manage, we manipulate people’s data and right now, private companies, enterprises, they benefit from it. So there is no incentive for anybody to do anything specific to help. And they say that regulating that will kind of put a net into innovation, which I completely don’t agree with.

Beau: That’s always gonna be the argument, that we need to have all, everything, we want all the resources, and we don’t even know what we need, but we want all of them.

Marc: Yeah. And that’s a fallacy. That’s a fallacy.

Beau: Tell? But what’s the harm in having, I mean, from your point of view, given what you do for a living, helping people manage their cybersecurity and navigate situations where their cybersecurity has been compromised, why is the data on a people search site particularly an issue? Why is it that the people search data, you know, address, email address, phone number, you know, 40% of that information I think is old. You know, so you have to figure out what’s working, what’s new, what’s actual… why is that data important in cybersecurity circles?

Marc: It can be used to do harm in real life. We have seen an increasing numbers of people committing suicide. We have seen cyber harassment. We have seen cyberstalking. We have seen all types of cyberattacks now taking place into the real world, like doing harm, like overwhelming people. So just an example, let’s say that you put on Facebook, I’m traveling, I’m going to Arizona, and I’ll be at this Airbnb or stuff like that. And you just, all your information are online on Facebook, and people can see that you’re not home. So you open yourself to burglary and it can happen and it has happened.

Beau: And people can use the people search site to figure out what your address is.

Marc: Yeah. Yeah. 

Beau: I see your name is Marc. I know that you are Marc, but I don’t know where you live. But then you can cross-correlate and that open-source intelligence is the problem I think that people are starting to understand.

Marc: It’s available to anyone. We’re not talking about you need to be a super hacker, you need to be a government agency. That means any individual with a little bit of of time and poor resources will say they can actually figure this out. Yeah.

Beau: That’s the unsettling part. None of this requires elite hacking skills, just time. After the break, the very tools being built to save us time, to make our work easier, are also available to threat actors. And that’s a problem. Okay, so generative AI, this is the part that keeps me up at night: The same tools helping us write faster and sound smarter are doing the exact same thing for scammers. And this matters because the tells we used to rely on, like bad grammar, awkward phrasing, bad design on a website, those red flags are totally gone.

Marc: Yesterday, my partner sent me on text, “I almost got phished.” This was absolutely too good to be true and definitely it was phishing. She has been trained. She definitely knows a lot about phishing, and the problem was the main vectors people used to look for to identify if it’s a phishing email, they have been removed entirely. That means this is gone right now with AI, but that also helps the hacker produce in a very fast way. Right now, you can do it with the tools and the ability to produce content very fast, and you can change, you can iterate very quickly. The problem is, yeah, we’re gonna have to find other ways to recognize not only phishing, but there are a lot of other tools that are enabling cyber criminals to actually hack people all different ways. Not only in phishing. Like I’ve tested recently some voice to voice agents. That means if somebody wants to reproduce your podcast the same way with your overall manners, expressions, ideas, and everything, it’s gonna take them a few weeks to actually get that done so they could totally replicate what you’re doing, and it’s no you.

Beau: So you can use it for good or you can use it for evil. And the giveaways in phishing now are also gone in the realm of design.

Marc: Totally. Absolutely, like deepfakes. Uh, good luck finding them.

Beau: You know, sure. Deepfakes are a thing, and I’ve played around with Sora enough to know that I can live my best life there.

Marc: Yeah. Yeah, it’s fun.

Beau: I have hung out, you know, and you can tell a lot about somebody from the Sora videos they prompt.

Marc: Behavioral analysis. Yeah.

Beau: I mean, absolutely true. Marc, what is your… I’ll tell you about mine if you tell me about yours. Tell me about a funny prompt that you did.

Marc: I try to get Sam Altman to actually play soccer.

Beau: Oh, you tried to get Sam Altman to play soccer?

Marc: Yeah.

Beau: Did you do any featuring yourself? Had you made, or would you not upload your image because you didn’t-

Marc: I don’t. I don’t upload my image.

Beau: I love that. I did. I uploaded my image and I made a whole series of videos featuring me with a polar bear, a brown bear, and two Great Dane dogs. And all we did was we went to the supermarket.

Marc: That’s, no, that’s fun. That’s the-

Beau: And it was just like, you know, tell me, you know, show me who you are without telling me anything. And you know, I was like, oh, if you left me alone, I’d probably just hang out with bears.

Marc: And that’s the danger of it, right? That means if they leave you alone with it-

Beau: A hundred percent. No. And I wouldn’t work. I’d just be like, oh, what are we gonna do today? Bears.

Marc: Yeah. And you are very knowledgeable, you know, about the dangers of privacy and everything, but you know, think about the regular people, like people will never think or care about that. Yeah.

Beau: Well, Marc, here’s the thing, is when I get a spam phone call, I sometimes pick up just for fun and to hear what’s going on, and I used to answer the phone and say, what? And the reason I did that was because I didn’t want them to catch a voice print. Now. Tell me in your own words how absurd that is, given the fact that I do a podcast.

Marc: Yeah. Right. But maybe, okay. There may be a silver lining here. I would say people that are targeting you at home, they may not be the same people targeting you using your podcast. So that means at least… there are a lot of cybercriminals. So think about it, you probably get some state actors or big actors maybe coming after you, either for the company you work for or for your status and whatever. So they may come after your podcast, but the people reaching out, they are like low-level scammers, even if they’re organized. Usually they are targeting anybody. I think if they knew it was you, they would not even dial your phone. So that means maybe there’s something good there that you try to talk to them and try to have fun with that. Yeah.

Beau: No, and I’ll tell you something, I get a warm feeling inside when I realize that there are low-level hackers out there and an ocean of hackers out there who have no idea who they’re calling because those phone numbers have just been scraped from people search sites and breaches.

Marc: Absolutely. And they do it at a scale where they need to reach as many people as possible to increase the probability of actually success and getting somebody to send them money or whatever they’re looking for. So yeah, they’re probably not targeting you as an individual knowing that it’s you and some of them, as of now, I’m not aware of them using the voice spread to actually find you online and look after you seriously. But I think we don’t want to give them ideas.

Beau: Oh my gosh. Don’t, that’s a bad idea. That’s a thing I always wonder is are we actually just teaching criminals how to do crime better?

Marc: And sometimes yes, because, we have to disclose vulnerabilities. We have to talk about the flaws when we see them. But yeah, sometimes we need to do it in a very responsible manner because they listen. They listen. Sometimes I think what we do is exposing those vulnerabilities or flaws, disinformation to more people. Some people, they are just listening to a podcast and say, oh, I didn’t have this idea. That may be something I can try. Yeah.

Beau: So we did an episode with a gentleman who flew to Cameroon to meet somebody about an inheritance he didn’t know about. And that person he was supposed to meet had to leave last minute for Rome and they left their suitcase. And so the gentleman was given a suitcase to bring to Rome.

Marc: Hmm.

Beau: And the suitcase was filled with heroin.

Marc: Oh my God.

Beau: And he went to prison in Cameroon. Now I spoke to a Secret service agent in South Africa whose job was to close down Black Axe operations, the confraternity from Nigeria, and it was a good show, whatever. We had an interesting interview. The next week I got email bombed and I got email bombed hard by somebody who knew what they were doing because it was like, hmm, I’m gonna say 2000 emails a minute.

Marc: Wow.

Beau: And a year and a half later, I’m still getting emails from that email bombing.

Marc: Yeah, they won’t give up thanks to automation. They don’t even have to do anything. They just script it and let it go.

Beau: You’ve seen these SIM farms where they have phones just on racks and they’re making phone calls. Now a lot of that is toll scams, and a lot of that is coming outta China, or it’s based in- it’s coming out of China originally. And there’s very specific scams where they’re loading credit card information and they just need… they’re phishing for the codes. Let’s play this game. My fantasy is that those, and I want to hear yours. My fantasy is that those SIM farms are being used make scam calls and they actually are designed, I’m sure, probably I’m just like, duh, I’m not in it enough to know as a prosecutor and an investigator, but that they’re used to make lead calls and they don’t even kick it to somebody at the call center until somebody answers and says hello. Which is why you get that little hiccup when you do pick up a scam call, that it’s actually coming from a SIM farm, which means that they’re making an unimaginable number of phone calls. That’s my one. That’s the thing I imagine. I don’t know if it’s true or not. What’s the thing that you imagine?

Marc: And I definitely believe that’s the case. So they work like we actually work with CRM, so you get a lot of leads so you actually can capture everything possible. And then you get humans following up on the most likely to become a customer in this case. So yeah, definitely. I think it’s not a fantasy actually. They operate like this, not for everything. Like the SIM farms, sometimes they’re used in social media influencing. That means trying to change people’s mind, and this is a little bit more I would say effective, the way they use them. But yeah, in the call centers, actually it was not a long time ago, they had like full call centers with thousands of individuals working trying to do those things. But now we have a lot of automation, so they are quite improving the system, so they’re becoming more efficient and the efficiency is coming exactly the way you describe it. That means they make a lot of phone calls and then if you answer or you leave, you actually… sometimes they leave messages, you text back, or actually, the other day we have been playing with a case like that. It was about like when we were doing a piece about fake job postings and then we ended up on a group, I think they were based in Thailand, and then they actually were behaving like they were in Queens in New York City. So they basically reach out via text to a lot of people. And then when you text back and somebody, because different time zones and stuff like that have to answer and then depending on the person, that means you may answer, two, three people may answer and get different people. But it depends on the time zone, on when you are reaching out back. Yeah, definitely. Your description makes sense. And I think that’s the way they’re operating right now. Yeah.

Beau: I hate it. I mean, I like it the way that I liked Breaking Bad and The Wire and the Sopranos. I mean, I like it because I’m like, oh, that’s interesting, but I hate it ’cause it affects real people and it doesn’t just affect real people on the targeting side. There are real people in those call centers who are human trafficked and they don’t want to be there.

Marc: And that’s the saddest part of it because you are committing a crime and being a victim at the same time.

Beau: Yeah.

Marc: Without you knowing. It’s very sad because, you know, lack of opportunities or resources get people to do whatever they can to survive. And sometimes people get dragged into like nefarious activities without even thinking. It’s like when they get out, that’s when they figure, oh, I was in a very bad situation. I was involved in something that I would never be involved if definitely I was aware, but it’s too late now. The truth is, the trafficking part is where I believe government institutions and the entire world, we can do better. We can do better because with a little bit of information exposing those people, exposing the bad guys and because they get networks, and then making sure everybody gets access to this basic information, you know, and I think we can do a lot, and mostly I’m talking about kids, about like young people that get dragged without knowing it. They think… I’ve heard of cases where people that think they’re gonna be working for agencies, you know, and then they get opportunities to travel to do all the stuff. And then they ended up being like that. They think they’re gonna be working offshore for a company in the U.S. or for stuff like that, and then yeah, they got dragged into the stuff. So I believe there is a lot that can be done, but still we are far, far from solving it entirely.

Beau: It’s easy to point your finger at somebody who’s driving a Lamborghini and wearing a $300,000 watch and say you’ve taken not having opportunities to the opposite polar extreme. It’s not as easy when you talk about the lack of opportunity where a lot of this stuff takes root and starts.

Marc: Yeah. And I would say this is like the configuration of the world. It’s not like… because of cyber… I think it’s rooted in social conventions. That means we will always have a issue with distribution of wealth or access to wealth or to opportunities. This is the way we have seen it for decades, millennia, I can say from now. I believe with the resources we have right now, we can at least make it available, make information available so people can kind of sort out the different opportunities. So I’m thinking mostly about how come right now in 2025, almost 2026, people are getting scammed about the Nigerian scams, like, okay, I’m gonna send you an inheritance and stuff like that? That means this shouldn’t be possible. I do believe that social engineering is the most powerful tool hackers get in their hands right now.

Beau: And it’s amplified with AI now.

Marc: Yes, but there are like some basic stuff that we definitely can do. I’m not sure if, at school, like high school, elementary school, college people are learning that, you know, there is a pattern. This is the way to identify these patterns. And once you know that, you can almost rule out like several, like big percentage of those scams. We are not doing this, and that’s the part-

Beau: The place where this has to happen is in middle school and elementary school in the United States and in primary education elsewhere in the world. It has to happen. And when people are young and they’re introduced to the idea that our digital lives have a built-in opacity and that opacity can be used neutrally, but it can also be used for bad… there’s no good really in it. It’s just it is what it is. But that opacity can be used by criminals and they use it. So the awareness that there are no free rides in life. I mean, it’s kind of like, it’s always the same old advice. I’ve never ever met a cyber expert who doesn’t say about scams and fraud, if it sounds too good to be true, it is.

Marc: It is unfortunately, and the truth is, it’s not that difficult. Right now one thing I’m trying to do mostly with the cyber hygiene is trying to get people to understand that it’s inevitable. And it’s for sure inevitable when you see the sheer volume of hacks, of cyber attacks, of incidents occurring on a daily basis and to actually anybody. That means it doesn’t discriminate if you are rich, poor, or you’re working for an enterprise or even your location.

Beau: No, when you’re poor it’s worse because that means you can’t survive it.

Marc: Exactly, and not even location. That means I’ve seen- you see right now, Europe and the EU, they have been doing a lot of efforts with pushing companies like the corporations to take privacy a little bit more seriously, to not be that open with people’s data, but still people are getting hacked because they got the same underlying issues. Like I got a case particularly where, ’cause a lady, she is in college, I think sophomore. She was planning on attending a concert and they created a WhatsApp group. Somebody infiltrated the WhatsApp group with a number actually just to… for the location we’re talking about the Netherlands. And then the person received a message from somebody from the group, selling them the tickets and stuff like that. And then I think they got hacked. Basically, they got the identity information and the credit cards, and they actually did the payments, so they got some money out of it from the group. Now it’s a young person, very smart, actually understands a lot about those things, but it was not that simple for this person to identify that there was a scam there. You understand? And when I see it, I say, what are we doing? That means if people at this level in a country where they try to push companies to put barriers to help people with security and privacy, and we still couldn’t actually even prevent that very low level scam, what are we doing? So the idea is just first I think we need to accept and understand that this is inevitable. And second, we need to work our way back to teaching the basics to help people understand and get this to become a second nature, like a habit where you always think, oh, I’m gonna get hacked. That’s the first thing you need to think about, and then you start acting.

Beau: Okay, so here’s something I think about a lot with the show. I don’t know you, when you first joined, the video wasn’t quite working. Mine wasn’t great either. We’d only talked over email. So how do I actually know you’re who you say you are? How do I know Marc R is not an avatar created by a scammer?

Marc: Yeah.

Beau: And he’s not even real. How do I know I’m not talking to an AI?

Marc: You got me to move around.

Beau: So I got you to move around. Yeah, I got you to like, let me see you actually move that computer and see what happens. Because one of the nice things about where we are with the technology is it’s not good enough. Like if you make it run through the paces, it’s gonna fail at some point, and you’re going to see, and I hope that’s always the case. I doubt it will be.

Marc: That’s the second nature we are talking about and definitely I a hundred percent agree, and we try this every time and make sure that like, because we know you should, it’s not a lot. I can name like maybe 10 potential hacks that we really need to be really careful with every time, and people can kind of memorize that and say, you know what, let me, it’s just like a checklist, this check, check, check. Okay, now I can’t relax. You can never relax a hundred percent.

Beau: No, you can’t. But here’s the thing. Do you know what I did, Marc? All I did was I looked when you turned your head, and I wanted to see what happened on the other side of your glasses. And once I saw that that was happening, and that was why I got you moving was I just wanted to see now, is that habit? Yeah, a hundred percent. Now you know what people don’t know is that you are actually an extremely skilled social engineer. So you agreed to be on the podcast ’cause your goal is really to breach DeleteMe.

Marc: No. You know what? Seriously?

Beau: I gotcha.

Marc: Seriously, I’m more looking forward to partnering with DeleteMe, just because I really seriously think they’re doing a good job. And I’m gonna tell you, if I had enough time, I would be a competitor, just because what they’re doing is so important, but I do believe that what they’re doing is great.

Beau: Well, thank you. That’s very nice of you to say after I just accused you of being [inaudible]. We just were talking about awareness and the way that it needs to become hardwired in our minds. What are some of the most common attacks we need to be looking out for?

Marc: The first one that comes to mind, it’s the easiest one, like people still account. So that means account takeover and either it’s email, it’s social media. And I would say that’s the number one complaint we see right now because people can notice it right away. Because sometimes you get hacked. You are not even aware you get hacked. And then the second one is basically cyber harassment right now, which is doing the rounds in line for kids, teenagers, and almost everybody because there are a lot of bullies, a lot of trolls, and people can easily find you. They can easily find your email address, your address and everything. So they try to overwhelm or make fun. So this is something very serious and people can remember that very easily. Now you get all types of scams. It depends on your age, and you’ll see that a lot. Older people, they are exposed to a bunch of those scams because they are not really thinking about getting scam or digital security most of the time.

Beau: Alright, so phishing is just a vector. Meaning it’s a delivery system?

Marc: Exactly. But social engineering is what they do. They call you either on the phone or we see a lot of SMS or smishing they call it.

Beau: What else?

Marc: Deepfakes, which is impersonation. Impersonation. This is a-

Beau: That’s a vector too, right?

Marc: But the impact, impersonation is mostly the consequence right now. That means they can do deepfakes to try to replicate either your voice or your image, but your likeness. But you do have like people acting like it was you creating accounts online and putting you in trouble. I’ve seen people trying to damage other people’s reputation by just doing that. That means somebody hits you. They don’t even have to do something directly to you. They just create your videos and then they get you to say weird things and then you land in trouble directly.

Beau: So, a pretty famous reporter had said some insensitive, homophobic things on Twitter like 10 years before they got famous. And it hit the news and they swore up and down that their account had been hacked and everyone said that is impossible to backdate a tweet. We went in and we found out it was totally possible, and they had not posted those things. We proved it forensically. So there is like, damage to reputation is a real thing. Now on the deepfake front, Marc, we do have a thing in my family, which I recommend to everybody, which is we have a safe word. So if a deepfake of me gets pointed at one of my kids or my partner, they can say, what’s the safe word? But that only keeps you from getting used as a vector. It doesn’t keep you from getting abused by a technology.

Marc: Absolutely. That’s the part used and abused. So for the abuse part, I can tell you we got a long way to go as defenders because it’s not easy to fight back and we don’t have the tools yet. We don’t have the tools. I know that there are like a lot of advanced projects in Google. They had one trying to help identify fake images. But no, it’s complicated. Very complicated, and so far nobody has a tool that you can say for sure, okay, this is generated by AI or deepfake, and this is not the person. You’ll have to do a lot of-

Beau: There’s tools out there. They don’t work though, and they’re not reliable. So what else you got?

Marc: Yeah. And then you get like, some scams, like, now we are in the holiday season. You’ll see gift cards and like the basic stuff like when people are buying online. And when I say 10 things, I was thinking of 10 things you do regularly, and then if you are aware, you can prevent yourself from being in trouble. It is like gift cards or when you are buying online where you are putting, so everybody knows now to look for the SSL sign in the URL to see if the site is supposedly secure. And I think the browsers, they’re doing a good job trying to at least give you a warning. But the problem is most of the time people don’t even pay attention if this is the real enterprise, the real site, because you know, we got a lot of domains. It can be .com, .io, .me, dot whatever. So people, they just land on the website and they say, okay, I’m putting the credit card. And it’s way later they figure out, oh wow, this is not the website I was trying to use to buy this stuff. And hackers, they do that a lot. They do that a lot and then later on, one big deal I’ve seen a lot and mostly this year is about the instant messaging apps, so almost everybody is that I’ve been preaching against some of them. Personally, I just don’t use them because they’re like too difficult to control or to actually secure yourself. But people, they say, you know, I don’t have anything to lose, or I’m not a target, so I just do it because everybody else around me is using this. So that’s a problem. The messaging apps, they are absolutely useful. When you are traveling, you can stay in touch with friends, with families and stuff like that, but you definitely need to pay attention to at home you are sharing this with. And on top of that, when you receive a message, you need to talk because with just one link they send you on a text message or a WhatsApp and you can get in trouble. You install a tracker or a spyware on your device. And some people, they actually even use WhatsApp on the computers, on the laptops. So imagine the way they enable hackers to take over, right? I’ve seen those messaging apps being completely useful, but at the same time, that’s where they reach out because they get a lot of users. So it’s definitely, and now everybody should know that whatever you put out online is being recorded, stored forever. Not, okay, I can delete it now. It will be there. Mostly somebody will have it and almost a hundred percent of the time you don’t have control of it. Because once somebody takes a screenshot or it is in the archives of whatever website or this website you use, it’s not in business anymore. It’s out of sight. So you lose it forever. You can’t even sue the company because they don’t have it. So you have to be very careful. Think before you act or you say whatever. That is important not only because you are spreading your personal information, but it’s also because you are leaving details of your behavior, of how you think. That can be used against you.

Beau: Thank you for so much for joining What the Hack, Marc Raphael. The company is 911 Cyber. Thank you so much.

Marc: Thank you for having me, Beau, and happy holidays to your audience.

Beau: And now it’s time for the Tinfoil Swan, our paranoid takeaway to keep you safe on and offline. Marc Raphael’s story about waking up to a moving cursor on his monitor is a nightmare. Here’s what waking up looks like when it comes to your cyber hygiene and staying safe: realizing that hacks are inevitable. That’s it. Whether you think you have it all figured out or you’re scared shitless, the scale of automated crime means eventually you’ll be targeted. Here’s the deal. You cannot stay safe by playing a 24/7 game of whack-a-mole. You’re going to let your guard down. You’ve got to go the bathroom, and that should be a part of your approach to securing your digital life: making room to go to the bathroom, have meals, hang out with people. One way to relax a tiny little is to make yourself harder to hit. Stop being a “lead” on a scammer’s spreadsheet. You can do this by using a service like DeleteMe, which the NYT’s Wirecutter picked as the best in class–and given the right criteria (we’ve been doing this longer than anyone else, among other things,) that is the right conclusion. When you scrub your PII from the web, you aren’t just locking the doors and locking the windows at home; you’re literally making your house harder to find–like on an actual map. Scammers and SIM farms are efficient—they want the easy win. When you remove the data that fuels their attacks, you become too expensive to target. You increase the friction until they move on to someone else. And it’s nice to get a break from spam and scam calls too. So secure your accounts to stop the break-in, but scrub your data to make the house harder to find. Okay, so that’s it for this week. Stay safe. Reach out if you have a story, and see you next week. What the Hack is produced by Beau Friedlander (that’s me) and Andrew Steven, who also edits the show. What the Hack is brought to you by DeleteMe. DeleteMe makes it quick and easy and safe to remove your personal data online, and was recently named the number one pick by New York Times’ Wirecutter for personal information removal. You can learn more about DeleteMe if you go to joindeleteme.com/wth, that’s joindeleteme.com/wth and if you sign up there on that landing page, you will get a 20% discount. I kid you not, a 20% discount. So yes, color me phishing, but it’s worth it.

Learn more:

• See where your data is exposed with our free scan.
• Learn more about good and bad advice for staying safe online.
• Check out 911 Cyber and learn how to combat AI scams and the latest remote access attacks.